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Abstract 

Type-flaw attacks and multi-protocol attacks are notorious threats to cryptographic 
protocol security. They are arguably the most commonly reported attacks on protocols. 
For nearly fifteen years, researchers have continuously emphasized the importance of 
preventing these attacks. 

In their classical works, Heather et al. and Guttman et al. proved that these could 
be prevented by tagging encrypted messages with distinct constants, in a standard 
protocol model with a free message algebra II231I2T1 . 

However, most "real- world" protocols such as SSL 3 . are designed with the 
Exclusive-OR (XOR) operator that possesses algebraic properties, breaking the free 
algebra assumption. These algebraic properties induce equational theories that need 
to be considered when analyzing protocols that use the operator. 

This is the problem we consider in this paper: We prove that, under certain as- 
sumptions, tagging encrypted components still prevents type-flaw and multi-protocol 
attacks even in the presence of the XOR operator and its algebraic properties. 
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1 Introduction 



A type-flaw attack on a protocol is an attack where a message variable of one type is es- 
sentially substituted with a message of a different type, to cause a violation of a security 
property. Preventing type-flaw attacks is crucial for security protocols since they are fre- 
quently reported in literature |[TOl |271 [36l . 

In their pioneer work, Heather et al. proved that pairing constants called "tags" with 
each message, prevents type-flaw attacks f23l. However, Heather et al.'s work considered 
a basic protocol model with a free message algebra. Operators such as Exclusive-OR pos- 
sess algebraic properties that violate the free algebra assumption, by inducing equational 
theories. 

Another very important problem for security protocols is the problem of multiple pro- 
tocols executing in parallel. This was shown to be a major cause for attacks on proto- 
cols ll25l[T6ll . In an outstanding work, Guttman et al. tackled this problem and proved that 
if distinct protocol identifiers were to be inserted as tags inside all encrypted components, 
multi-protocol attacks can be prevented ETI . in the same year and conference as that of 
Heather et al.'s paper If22l . However, like Heather et al., they too consider a basic and 
standard model with a free term algebra. 

Recent focus in research projects world-wide has been to extend protocol analysis to 
protocols that use operators possessing algebraic properties, to accommodate "real-world" 
protocols such as SSL 3.0 (e.g. Il26l[l8l). Naturally, a corresponding study into type-flaw 
and multi-protocol attacks would be both crucial and interesting. 

These are the problems we consider in this paper: We provide formal proofs to establish 
that suggestions similar to those made by Heather et al. and Guttman et al (to tag messages), 
are sufficient to prevent all type-flaw and multi-protocol attacks on security protocols even 
under the AC Ul\ll| algebraic properties of the Exclusive-OR (XOR) operator. 

Our proof approach extends that used by us in ||29l . is general, and could be extended 
to other operators with equations such as Inverse and Idempotence in addition to ACUN. 
We give some intuitions for these in our conclusion. 

Significance of the results to protocol analysis and verification. Preventing type-flaw 
and multi-protocol attacks is obviously beneficial to protocol security. However, there are 
also significant advantages to protocol analysis and verification: 

• As Heather et al. pointed out, preventing type-flaw attacks also allows many un- 
bounded verification approaches (e.g. ll42l[Tni24l ) to be meaningful, since they as- 
sume the absence of type-flaw attacks; 

• Similarly, preventing multi-protocol attacks ensures that it is sufficient to analyze 
protocols in isolation, which was found to be much less complicated than analyzing 
in multi-protocol environments Il35ll25l : 

• Furthermore, knowing that these attacks can be prevented in advance, reduces com- 
plexity of analysis and substantially saves the search space for automated tools; 

'Associativity, Commutativity, existence of Unity and Nilpotence. 
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• Preventing type-flaw attacks is a crucial step in achieving decidability results for 
protocol security, as identified in Il28l[39ll . With decidability results in place, protocol 
verification can be reduced to a trivial problem of analyzing a single session of a 
protocol, to conclude its security. 

The main concept used by our proofs is as follows. When terms containing XOR are 
unified, the AC UN theory does not affect the unifier obtained, if all the terms that are XORed 
are tagged with constants. Thus, unifiers for unification problems involving the standard 
operators and the XOR operator are obtained only using the algorithm for the standard 
operators. Hence, the results that were possible for the standard operators remain intact, 
even when the XOR operator is used in constructing messages. 

Organization. In Section [2l we will show that tagging can prevent type-flaw attacks un- 
der XOR using an example. In Section [31 we will formalize our framework to model proto- 
cols and their executions. In SectionlH we will prove some useful lemmas. In Section[5l we 
will use these lemmas to achieve our main results and conclude with a discussion of future 
and related works. We provide an index to the notation and terminology used in the paper 
in Appendix lA.ll and a detailed description of Baader & Schulz algorithm for combined 
theory unification [2] using an example in Appendix IA.2I 

2 Tagging prevents type-flaw attacks under XOR: Exam- 
ple 

In this section, we show that tagging prevents type-flaw attacks under XOR on an example. 
The example helps in elucidating our proof strategy to achieve our main results in the 
subsequent sections. 

Consider the adapted Needham-Schroeder-Lowe protocol (NSL^) by Chevalier et al. Q. 
We further modify it by inserting numbers 1, 2, and 3 inside each encrypted message as 
suggested by Heather et al. [|23l : 



Msgl.A^B: [l,NA,A]pk(B) 
Msgl.B^A: [2, Na © B, NbUia) 
Msg 3. A ^ 5 : [3, NsUiB) 



(A and B are agent variables; Na, Nb are nonce variables; [X]y represents X en- 
crypted with Y; pk(X) is the public-key of X). 

A type-flaw attack is possible on this protocol even in the presence of component num- 
bering (originally presented in (331): 
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Msg a.l. a -> i : [1, n^, a]pfc(i) 

Msg/3.1. i{a) [l,na ® b ® i, a]pk(b) 

Msg f3.2. b i{a) : [2, © 6 © i © 6, n^^Ca) 

Msg a. 2. z a : [2, © z, nb\pk{a) (replaying Msg (3.2) 

Msg a. 3. a z : [3,n6]pfc(i) 

Msg /3.3. i{a) 6 : [3, r2;,]pfc(b) 



i is the identity of the intruder or attacker; i{x) denotes i spoofing as x. We use lower- 
case now for agent identities and nonces (a, b, Ua, Ub), since this is a trace of the protocol 
execution, not the protocol specification. 

Notice the type-flaw in the first message (Ua (B b (B i substituted for the claimed Na) 
that induces a type-flaw in the second message as well. This is strictly a type-flaw attack, 
since without the type-flaw and consequently without exploiting the algebraic properties, 
the attack is not possible. 

The above attack can be avoided if tagging were to be adopted for the elements of the 
XOR operator as well: 



Msgl.A^B: [l,NA,A]pkiB) 

Msg 2. 5 ^ A : [2, [4, Na] © [5, B],NBUiA) 

Msg 3. A ^ 5 : [3, NsUiB) 



Now Msg (3.2 is not replayable as Msg a.2 even when i{a) sends Msg (3.1 as 

Msg 13.1. i{a) ^ 6 : [1, [4, © [5, b] © [5, t],a]pkib), 
since Msg (3.2 then becomes 

Msg (3.2. b i{a) : [2, [4, [4, © [5, b] © [5, i]] © [5, b] 
This is not replayable as the required: 

Msg a.2. i a : [2, [4, ria] © [5, z] , nb]pk{a) 

because, inside Msg /3.2, one occurence of [5, b] is in [4, [4, Ua] © [5,6] © [5, z]] and the 
other is outside. Hence, they cannot be canceled. 

This concept can be best understood when we review the attack symbolically. The crux 
of the attack was the unification of terms, Na © b (sent by agent b inside Msg 2) with © i 
(expected by agent a inside Msg 2). The result is a substitution of © z © & with the type 
nonce © agent © agent to the nonce variable Na, resulting in a mismatch of types. 

When we prevented the attack by adding more tags, the terms [4, A^^] © [5, b] and 
[4, ria] © [5,z] had to be unified. But they are not unifiable, since no substitution to the 
variable Na will make them equal under the AC UN theory for the © operator. 
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Note that, a substitution of © & © i to A^^ will make them equal, if an additional 
equation, say [w, x] © [y, 2] = [w®y,x® z] is considered in addition to the AC UN theory. 

In this case, [4, A^a]©[5, fe] will become [4©5, na©6©i©6], which is equal to [4©5,na© 
i], which in turn is equal to the other term to be unified, [4, Ua] © [5, i]. However, in this 
paper, we consider only the ACUN algebraic properties of the © operator, but not equations 
where both the standard operators such as pairing and the XOR operator are combined. We 
do provide some insights into extending our work with such equations, in our conclusion. 

In Sections [3l|4] and [51 we will prove formally that such tagging prevents all type-flaw 
and multi-protocol attacks on protocols in general, under the ACUN theory. 

3 The Framework 

In this section, we will describe our formal framework to model the design and analy- 
sis of protocols, which we subsequently use to achieve the proofs for our main results in 
Section [51 

We will define the term algebra in Section [3m the protocol model in Section [J!2l gener- 
ating symbolic constraint sequences for protocol messages and checking their satisfiability 
in Section 13. 3[ the security properties desired of protocols and attacks on them in Sec- 
tion |3.4| and our main protocol design requirements to prevent type-flaw and multi-protocol 
attacks in Section [331 

3.1 Term Algebra 

We will first introduce the construction of protocol messages using some basic elements and 
operators in Section [3. 1.11 We will then introduce equational unification in Section [3. 1.2[ 

We derive much of our concepts here from Tuengerthal's technical report |[43[| where 
he has provided an excellent and clear explanation of equational unification. 

3.1.1 Terms 

We will use italics font for sets, functions, and operators. On the other hand, we will use 
sans-serif font for predicates, equations and theories (described in Section [3. 1.21 ). 

We denote the term algebra as T(F, Vars), where Vars is a set of variables, and F is a 
set of function symbols or operators, called a signature. The terms in T(F, Vars) are called 
F-Terms. Further, 

• Vars C Vars); 

• (V/ G F)(arity(/) > A ti, . . . , G T(F, Vars) f{U, ....Qe T{F, Vars)). 

The set of nuUary function symbols are called constants. We assume that every variable 
and constant have a "type" such as Agent, Nonce etc., returned by a function type{). 
We define F as StdOps U {XOR} U Constants, where, 

StdOps = {sequence, penc, senc, pk, sh}. 
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Further, if / G F and ti, . . . , t„ e T(F, Vars) then, 

iypeifik, . . . , tn)) = f{type{ti), typeit^)). 

penc and senc denote asymmetric and symmetric encryption operators respectively, pk 
and sh denote public-key and shared-key operators respectively. We assume that they will 
always be used with one and two arguments respectively, that are of the type Agent. 

We use some syntactic sugar in using some of these operators: 



sequence(ti, . . . ,tn) 
penc(t, k) 
senc{t, k) 
XOR(ti,...,t„) 

We will omit the superscripts o and — )> for encryptions if the mode of encryption is 
contextually obvious or irrelevant. 

We will write a in [ai, . . . , an] if a G {ai, . . . , a„}. We will denote the linear ordering 
relation of a sequence of elements, s, as -<s. For instance, if s is a sequence such that 
s = [si,...,s„],then, (Vi,j G {1, . . . ,n}){{i < j) {si -<s sj)). 

We define the sub term relation as follows: 

t \Zt' ifit' = f{ti, . . . ,tn) where / G F and t □ t" for some t" G {h, . . . , 

We will use functions VarsQ), Constantsi), and SuhTermsi) on a single term or sets of 
terms, that return the variables, constants and subterms in them respectively. For instance, 
if T is a set of terms, 

SuhTermsiT) = {t \ {3t' G T)(t C t')}. 
3.1.2 Equational Unification 

We will now introduce the concepts of unification under equational theories. We will start 
off with some basic definitions: 

Definition 1. [Substitution] 

A substitution is a tuple (x, X) (denoted x / X), where x is a term and X is a variable. 
Let a be a set of substitutions and t be a term. Then, 

ta = t, ift G Constants, 

= t', ift'/t G a, 

= f{tia, . . .,tna), iff G F,andt = f{ti, . . . 

We extend this definition to define substitutions to a set of terms: If T is a set of terms, 
then, Ta = {ta \t eT}. 

We will now introduce equational theories. 



[tu ■ ■ 

Mr, 

Mr, 
ti © . 
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Definition 2. [Identity and Equational Theory] 

Given a signature F, and a set of variables Vars, a set of identities E is a subset 
ofT{F, Vars) x T{F, Vars). We denote an identity as t = t' where t and t' belong to 
T{F, Vars). An equational theory (or simply a theory) =e is the least congruence relation 
on T{F, Vars), that is closed under substitution and contains E. i.e., 



„ I i? is a congruence relation on T(F, Vars), E <Z and 1 
' {ya){t^t' e R^ta = t'a e R) J 

We write t =e t' if{t, t') belongs to =e- 

For the signature of this paper, we define two theories, =std and =acun- 
The theory =std for StdOps-Terms is based on a set of identities between syntactically 
equal terms, except for those made with the operator sh: 



1 "njj 



{[ti,...,tn] = [ti,...,t 

h{t) = h{t), 

qrn = sigk{t) = sigkit), 

pk{t) = pk{t), 

[t]k = [t]k, 

shitiM) = Sh{t2,ti)}. 

The theory =acun is based on identities solely with the XOR (©) operator, reflecting the 
algebraic properties of XOR: 



ACUN = {ti © (t2 © h) ^ {ti®t2)®h,ti®t2=t2®ti,t®0 = t,t®t = 0}. 

We will say that a term t is pure wrt theory =e iff there exists a substitution a and a 
term t' such that t = t'a and eithei^ _^t'ort'^- belongs to E. 

pure(t, =e) ^ (3t'; = t'a) A ((t' ^_eE)y {_^t' e E))). 

We will say that a term t is an alien subterm of t' wrt the theory = e iff it is not pure wrt 
=e'- 

ast(t', t,=E) ^ {f \Zt) A ^pure(t', =e). 
We will now describe equational unification. 

Definition 3. [Unification Problem, Unifier] 

If F is a signature and E is a set of identities, then an iJ-Unification Problem over F 
is a finite set of equations 

r = I Sl =E ^1, • • • ,Sn =E tn } 

^Following Lowe 128], we adopt functional programming convention and use an underscore (_) in a for- 
mula, when the value in it doesn't affect the truthness of the formula. 
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between F-terms. A substitution a is called an _E-Unifier /or V ifiWs =e t eT) {sa = e 
ta). Ue(X) is the set of all E-Unifiers ofV. A E-Unification Problem is called E'-Unifiable 
iffUE{T) + {}. 

A complete set of E -Unifiers of an E-Unification Problem Y is a set C of idempotent 
E-Unifiers ofV such that for each 6 G Ue{X) there exists a E C with a >e 0, where >e 
is a partial order on Ue(X). 

An E-Unification Algorithm takes an .E-Unification Problem V and returns a finite, 
complete set of i^-Unifiers. 

Hence forth, we will abbreviate "Unification Algorithm" to UA and "Unification Prob- 
lem" to UP 

Two theories =e^ and =e2 are disjoint if Ei and E2 do not use any common func- 
tion symbols. UAs for two disjoint theories may be combined to output the complete set 
of unifiers for UPs made with operators from both the theories, using Baader & Schulz 
Combination Algorithm (BSCA) 0. 

3.2 Protocol Model 

We will now introduce our protocol model, which is based on the strand space frame- 
work [I42l . 

Definition 4. [Node, Strand, Protocol] A node is a tuple (±, t) denoted ±t where t e 
T{F, Vars). A strand is a sequence of nodes. A protocol is a set of strands called "roles". 

Informally, we write +t if a node "sends" term t and —t if it "receives" t. Further, if 
(s, t) is anode, then, (s, t)a = (s, ta). 

As an example for strands and protocols, consider the NSL0 protocol presented in Sec- 
tion[2l This protocol that has two roles, ro/e^ and wIcb. i.e., 

NSL0 = {rolcA, rolcB}, 

where 

roleA = [+[1, A, NA]pk{B), -[2, A^^ © B, NnUiA), +[3, NB]pk{B)], and 
rolcB = [-[1, A, NAUiB), +[2, Na ® B, NB]pk{A), -[S, NB]pk{B)]. 

We define a function Termsi) to return all the terms in the nodes of a strand. If r is a 
strand, then, 

Terms{r) = {t \ (_, t) in r}. 

We will also overload the functions Vars(), Constantsi), and SubTerms{) that were 
previously defined on sets of terms to strands in the obvious way. For instance, if s is a 
strand, then, 

SubTerms{s) = {t \ {3t'){{t' G Terms{s)) A{tnt'))}, 
Vars{s) = Vars {Sub Terms (s)), 
Constants{s) = C onstants {Sub Terms {s)) . 



9 



A semi-bundle S for a protocol P is a set of strands formed by applying substitutions 
to some of the variables in the strands of P: If P is a protocol, then, 

semi-bundle(5,P) (Vs G S){{3r e P;a){s = ra)). 

For instance, S = {sai, Sa2, sw, } below is a semi -bundle for the NSL© protocol with 
two strands per role of the protocol: 

Sal = [+[a'^,nal]pk{Bl),-[nal® Bl,NBl]pk{Al),+[NBl]pk{Bl)], 

Sa2 = [+[a2,na2]pk{B2),-[na2® B2,NB2]pk{A2),+[NB2]pk{B2)], 

Sbl = [—[A3,NA3\pk{bl),+[NA3®bl,nbi\pk(A3),—[n'bl]pk{bl)]^ 

Sfe2 = [—[A4,NA4\pk{b2),+[NA4®b2,nb2]pk{A4),—['n'b2]pk{b2)]- 

(Note: As stated earlier, we use lower-case symbols for constants and upper-case for 
variables). 

We will assume that every protocol has a set of variables that are considered "fresh 
variables" (e.g. Nonces and Session-keys). If P is a protocol, then, FreshVars{P) denotes 
the set of fresh variables in P. We will call the constants substituted to fresh variables of 
a protocol in its semi-bundles as "fresh constants" and denote them as FreshCons{S). i.e.. 
If semi-bundle(S', P), then, 

...c.n,s, ^ { . , ( - --^){ ) } ^ 

We assume that some fresh variables are "secret variables" and denote them as Sec Vars(P). 
We define " Sec Constants {)" to return "secret constants" that were used to instantiate secret 
variables of a protocol: If semi-bundle(S', P), then, 

) ( : iv.\%"^::iT ) } ■ 

For instance, Na and A''^ are secret variables in the NSLg protocol and rzai, na2, ni,i, nb2 
are the secret constants for its semi-bundle above. 

We will lift the functions VarsQ, ConstantsQ, SubTermsQ, and TermsQ that were 
previously defined on sets of terms and strands, to sets of strands. For instance, if S" is a set 
of strands, then, 

SuhTerms{S) = {t \ (3x G S)(t G Sub Terms (x))}, 
Constants{S) = C onstants {Sub Terms (S)) , 
Vars{S) = Vars {Sub Terms (S)), 
Terms{S) = {t \ (3s G S){t G Terms{s))}. 

We denote the long-term shared-keys of a protocol P as LTKeys{P), where, 
LTKeys{P) = {x \ B){{x = sh{A, B)) A (x G SubTerms{P)))} . 
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To achieve our main results, we need to make some assumptions. Most of our as- 
sumptions are reasonable, not too restrictive for protocol design and in fact, good design 
practices that improve security. 

Before we start off with our first assumption, we will define a predicate well-typed() on 
substitutions such that a substitution is said to be well-typed, if the type of the variable is 
the same as that of the term it is substituted for: 

(Vt G T(F, Varsy,X e yars)((well-typed(t/X) ^ {type{t) = type{X)))). 

We extend well-typed () on sets of substitutions such that a set of substitutions is well- 
typed if all its elements are well-typed: 

(Va) (well-typed (a) ^ (Vt/X G (T)(well-typed(t/X))). 

We will now use this predicate to describe our first assumption which states that the 
substitutions that are used on roles to form semi-strands, are always well-typed. This as- 
sumption is needed to achieve our result on type-flaw attacks. 

Assumption 1. (Honest agent substitutions are always well-typed) 

If a is a set of substitutions that was used on a role to form a semi-strand, then a is 
well-typed: 

(Va)(semi-bundle(S', _) A {m E S) ^ well -typed (cr)). 

As noted in lfT4ll . for protocol composition or independence to hold, we first need an 
assumption that long-term shared-keys are never sent as part of the payload of messages in 
protocols, but only used as encryption keys. Obviously, this is a prudent and secure design 
principle. 

Without this assumption, there could be multi-protocol attacks even when Guttman- 
Thayer suggestion of tagging encryptions is followed. For instance, consider the following 
protocols: 



Pi 


P2 


1. a -T- s : sh{a, s) 


\. a b : [I, Ha 


sh{a,s) 



Now the message in the second protocol could be decrypted with sh{a, s) and Ua could 
be derived from it, when it is run with the first protocol. 

To formalize this assumption, we define a relation interm denoted d on terms such that, 
a term t is an interm of t' if it is a subterm of t', but does not appear as an encryption key 
or inside a hash or a private-key signature. Formally, 

• t (E t' if t = t', 

• t<^ [ti,...,t„]if(t ^ti V...Vt{£t„), 
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• t ^ ti © . . . © t„ if (t d ti) V . . . V (t ^ 

Notice that an interm is also a subterm, but a subterm is not necessarily an interm. For 
instance, Ua is an interm and a subterm of Ua © [a]^, while ri;, is a subterm, but not an 
interm. 

Interms are useful in referring to the plain text of encryptions and in general, the "pay- 
load" of messages, i.e., everything that can be "read" by the recipient of a term. Contrast 
these with the keys of encrypted terms, which can only be confirmed by decrypting with 
the corresponding inverses, but cannot be read (unless included in the plain-text). 

Assumption 2. If P is a protocol, then, there is no term of P with a long-term key as an 
interm: 

(Vt G SubTerms{P)){{$t' d t){t' G LTKeys{P))). 

It turns out that this assumption is not sufficient. As noted by an anonymous reviewer 
of a workshop version of this paper ll30l . we also need another assumption that if a variable 
is used as a subterm of a key, then there should be no message in which that variable is sent 
in plain (since a long-term shared-key could be substituted to the variable as a way around 
the previous assumption). 

Hence, we state our next assumption as follows: 

Assumption 3. If [t]k is a subterm of a protocol, then no variable ofk is an interm of the 
protocol: 

(V[t]fc G Sub Terms {P)){$X k;t' e SubTerms{P)) {X G Vars)A . 

\ iX<^ t') J 

Next, we will make some assumptions on the initial intruder knowledge. We will denote 
the set of terms known to the intruder before protocols are run, IIK. We will first formalize 
the assumption that he knows the public -keys of all the agents: 

Assumption 4. (Va; G Constants) {pk{x) G IIK). 

In addition, we will also assume that the attacker knows the values of all the constants 
that were substituted by honest agents for all the non-fresh variables (e.g. agent identities 
a, b etc.), when they form semi-strands: 

Assumption 5. Let P be a protocol. Then, 

[vx/^ G a, r G /-J 1^1^ ^ Constant) A (X ^ FreshVars{P)) J ^ ^ > J ■ 

Finally, we make another conventional assumption about protocols, namely that honest 
agents do not reuse fresh values such as nonces and session-keys: 

Assumption 6. Let Si , S2 be two different semi-bundles. Then, 

FreshCons{Si) fl FreshCons{S2) = {}■ 
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3.3 Constraints and Satisfiability 

In this section, we will formalize the concepts of generating symbolic constraints from 
node interleavings of semi-bundles and also the application of symbolic reduction rules to 
determine satisfiability of those constraints. These concepts are derived from the works of 
Millen-Shmatikov ll37l and Chevalier [O, who later extended Millen-Shmatikov's model 
with the XOR operator. 

Formalizing constraint satisfiability allows us to rigorously model and reason about 
protocol executions and the security properties held within the executions: A satisfiable 
constraint sequence leads to a substitution when rules are applied on it and the substitution 
can be applied on protocols to generate protocol executions. 

Definition 5. [Constraints, Constraint sequences] 

A constraint is a tuple (m, T) denoted m : T, where m is a term called the target and 
T is a set of terms, called the term set.' 

constraint((m, T)) ^ (m e r(F, Vars)) A (T G P(T(F, Vars))). 

A constraint sequence is a sequence of constraints. A constraint sequence is from a 
semi-bundle if its targets and terms in term sets belong to strands in the semi-bundle, i.e.. 
If S is a semi-bundle, then, cs is a constraint sequence of S, or 

conseq(cs, S) if 

(a) every target in cs is from a '—' node of a strand in S: 

(Vm : T in cs)((3s E S;n\n s){n = —m)). 

(b) every term in every term set ofcs is from a '+ ' node of a strand in S: 

(Vm ■.T\ncs]te T)((3s G 5;n in s){n = +t)). 

A "simple" constraint is a constraint whose target term is a variable, i.e., A constraint 
m : T is simple if m is a variable: 

simple(m : T) ^ (m G Vars). 

A "simple" constraint sequence is a sequence with all simple constraints, i.e.. If cs is a 
constraint sequence, then, 

simple(cs) =^ (Vc in cs)(simple(c)). 

The "active constraint" of a constraint sequence is the constraint in the sequence whose 
prior constraints are all simple constraints: 

active(c, cs) =^ ((c in cs) A (Vc' in cs)((c' -<cs c) =^ simple(c'))). 
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concat 


[tl, . . . , tn\ : T 


tl : T,. . . ,t„ : T 


split 


t : T U [tl, . . . , t„J 


t : T U tl U . . . U t„ 


penc 




k : T,m : T 


pdec 




m-.tUT 


senc 


[m]r : T 


k : T,m : T 


sdec 


m: [t]ruT 


k:T,m:TU{t,k} 


sig 


sigk{t) : T 


t : T 


hash 


h{t) : T 


t : T 


xorr 


m : TU 
tl ® . . . ® tji 


t2® ...®tn:T, 
m:TUti 


xori 


tl © . . . © t^ ; T 


t2 © . . . © t„ : T, 
tl :T 



Table 1: Set of reduction rules, Rules 



We denote the sequence of constraints before the active constraint c of a constraint 
sequence cs as cs< and those after c as cs>. i.e., 

cs = cs^c^cs^. 

if active(c, cs) is true, where is the sequence concatenation operator. 

Next, we define some symbolic reduction rules that can be applied on the active con- 
straint of a constraint sequence. We name the set of all such rules as Rules where 

Rules = {un, ksub, join, split, senc, penc, sdec, pdec, hash, sig, xon, xorr}. 

Before defining the rules, we will explain a notation. If c = m : T is a constraint and r 
is a set of substitutions, then. 



CT = rriT : Tr. 

In Table [11 we define Rules, that can be applied on the active constraint of a constraint 
sequence. 

The first column is the name of the rule, the second and third columns are the active 
constraints before and after the application of the rule. 

We define a predicate applicable() on each of these rules, that is true if the rule under 
consideration is applicable on the active constraint of the given constraint sequence. The 
predicate takes the name of the rule, the input sequence cs, the output sequence cs' , input 
substitution a, output substitution a', and the theory Th considered as arguments. For 
instance, we define xorr as follows: 



appNcab,e(xo..e.e/....'. r., « (3™.T., ( P:':j;e^*e** T.':' Tul^t) ) 

Note that we did not use brackets {} for singleton sets, to avoid notational clutter. For 
instance, we write m : T U ti, instead of m : T U {ti} since it is unambiguous. 

We left out two important rules in the table, un and ksub, that are the only rules that 
change the attacker substitution through unification. We describe them next: 

/ active(m : T U t, cs) A (cs' = cs^t"^cs^t)/\ \ 
applicable(un, cs,cs, a, a, =£;) ^ (3m, T,t) , , ^ a ^ ^ rr ^/ ? 
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/ active(m : T U [t]^ , cs) A 
applicable(ksub, cs, cs', a, (j\=e) ^ (3m, T, t) {cs' = cs<T^[mT : Tt U [t]^r]'^cs>r)A 

V K = ^ U r) A (r G UEi{k =e vK^)})) 

{Note: e is a constant of type Agent, representing the name of the attacker, always 
belonging to UK). 

We will say that a constraint sequence cs' is a child constraint sequence of another 
sequence cs, if it can be obtained after applying some reduction rules on cs in the theory 
Th: 



applicable(ri, cs, csi, cr, ai, Th)/\ 
childseq(cs, cs', Th) <^ (3ri, . . . , r„ G Rules) | applicable(r2, csi, CS2, ai, (T2, T/i) A ... A 

applicable(r„,, cs„_i, cs', (T„, T/i) 

We now define "normal" constraint sequences, where the active constraint does not 
have sequences on the target or in the term set and has stand-alone variables in the term set 
(also recall that by definition, the target term of an active constraint is not a variable): 



normalfcs) 



/ active(m : T, cs)A \ 

=m)A 

((VtGT)((^ti,...,t„,)([^i,---,in] =t))A 
V (Vt eT){ti Vars)) J 

Next, we will define a recursive function, normalize{), that maps constraints to con- 
straint sequences such that: 

normalize{m : T) = [m : T], if normal(m : T); 

= normalize{ti : T)"" . . normalize{tn : T) if m = [ti, . . . , 
= normalize{m : T' U ti U . . . U t„) if T = T' U [ti, . . . , 

We will now overload this function to apply it on constraint sequences as well: 

normalize{cs) = cs, if norma I (cs) 

= cs'^normalize{c)'~^cs^, if active(c, cs). 

We define satisfiability of constraints as a predicate "satisfiable" which is true if there 
is a sequence of applicable rules which reduce a given normal constraint sequence cs to a 
simple constraint sequence cs„, in a theory Th, resulting in a substitution cr„: 



[3ri, 



G Rules) 



satisfiable(cs, (T„, Th) =^ 
f applicable(ri, cs, csi, {}, cTi, r/i)A \ 
applicable(r2, cs'i, CS2, (T2, Th) A ... A 
applicable(r„, cs^_i, cs„, cr„,_i, cr„,, r/i)A 
simple(cs„)A 
y (Vi G {1, . . . ,n})(cs^ = normalize{cSi)) ) 
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Notice the last clause which requires that every constraint sequence be normalized be- 
fore any rule is applied, when checking for satisfiability. 

This definition of satisfiability may seem unusual, especially for the puritans, since 
satisfiability is usually defined using attacker capabilities as operators on sets of ground 
terms to generate each target on constraints. 

However, it was proven in Q that the decision procedure on which our definition is 
based, is sound and complete with respect to attacker capabilities on ground terms in the 
presence of the algebraic properties of XOR. Hence, we defined it directly in terms of the 
decision procedure, since we will be using only that to prove our main theorem. We refer 
the interested reader to ll37l and jSl for more details on the underlying attacker operators, 
whose usage is equated to the decision procedure that we have used. 

Note also that our definition only captures completeness of the decision procedure wrt 
satisfiability, not soundness, since that is the only aspect we need for our proofs in this 
paper. 

3.4 Security properties and attacks 

Every security protocol is designed to achieve certain goals (e.g. secure key establishment, 
authentication). Correspondingly, every execution of a protocol is expected to satisfy some 
security properties. For instance, a key establishment protocol should not leak the key 
being established, which would be a violation of secrecy. Similarly, a key establishment 
protocol should not lead an honest agent to exchange a key with an attacker which would 
be a violation of both secrecy and authentication. 

Security properties such as secrecy can be tested if they hold on executions of pro- 
tocols, by forming semi-bundles of the protocols, forming constraint sequences from the 
semi -bundles, adding the desired property to be tested to the constraint sequences and then 
checking if the resulting constraint sequence is satisfiable. 

For instance, consider the following constraint sequence from a semi-bundle of the 
NSL® protocol: 



The first three constraints are obtained from a semi-bundle with one strand per role of 
the NSL^ protocol. The last constraint is an artificial constraint added to them, to test if 
secrecy is violated in the sequence. 

If the constraint sequence is solved by applying the rules previously defined, it shows 
that the nonce ni,, which is supposedly secret, can be obtained by the attacker by interleav- 
ing the messages of honest agents a and b. Specifically, we would apply penc to the first 
constraint, and split it into [1, A^yi,y4] : Ti and pk{b) : Ti. We would then apply pair to 
split the former into three constraints: 1 : Ti, : Ti, and A : Ti. Next, rule un is applied 
on the second constraint, unifying terms [2, Ua © B, NB\pk(a) and [2, Na © h, n}j]pk{A)- The 
resulting unifier {tIq ©6©i/A^A, e/-B, rib/NB}, is applied on the term in the third constraint. 



[1, A^^, 

[2,na®B,NB]pkia) 

[3, nb]pk(b) 
rib 



[1, Ua, a]pk(B) U IIK (= Ti) 
[2,NA®b,nb]pkiA)^Ti{=T2) 
[3, NeUiB) U T2 
T2. 



16 



[3, NB]pk{B), making it [3, nh]pk(e)- Finally, can be extracted from this term using pdec 
and pair, satisfying the last constraint. 

Our definition of type-flaw attacks is general, and is valid for any property such as se- 
crecy that can be tested on satisfiable constraint sequences from semi-bundles of protocols. 

Definition 6. [Type-flaw attack] 

A protocol has a type-flaw attack in the theory Th iff there exists a semi-bundle from 
the protocol that has a constraint sequence satisfiable only with a substitution that is not 
well-typed: i.e., if P is a protocol, then: 

(semi-bundle(5', P) A conseq(cs, S)/\ 
(3cr)(satisfiable(cs, cr, Th) A ^well-typed (a)) A | typeFlawAttack(P, Th). 
(^a')(satisfiable(cs,cr', Th) A well-typed (a')) 

While our result on type-flaw attack is general and valid for any trace property, we 
achieve our other result on multi-protocol attacks in the context of secrecy (extensible to 
other properties such as authentication). Accordingly, we provide a definition for the prop- 
erty below. 

Definition 7. [Secrecy] 

A protocol is secure for secrecy in the theory Th, if no constraint sequence from semi- 
bundles of the protocol is satisfiable, after a constraint with its target as a secret constant 
of the semi-bundle and its term set as the term set of the last constraint of the sequence is 
added as the last constraint of the sequence, i.e., if P is a protocol, then. 



secureForSecrecy(P, Th) ^ {$sec, cs, S) 



f semi-bundle(S', P) A conseq(cs, S')A \ 
(cs=[_:_,...,_:T])A 
(sec G SecConstants{S))A 
\ satisf iable(cs'^ [sec : T],(T, r/i) / 



3.5 Main Requirements - NUT and ^u-NUT 

We now formulate our main requirements on protocol messages to prevent all type-flaw and 
multi-protocol attacks in the =sua theorjl^. The requirements are slight variations of the 
suggestions by Heather et al. and Guttman et al., who suggest inserting distinct component 
numbers inside encryptions. In a symbolic model, such component numbering guarantees 
NUT (Non-Unifiability of encrypted Terms). 

We will first define a function EncSubt() that returns all the encrypted subterms of a 
temi^: 

EncSubt : T(P, Vars) V{T{F, Vars)) 

where, if m is a term, then, EncSubt{m) is the set of all terms such that if t belongs to 
the set, then t must be a subterm of m and is an encryption, hash or signature: 



U A is an abbreviation for STD U ACUN. 
'^V{X) is the power-set of the set X. 
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(t C m)A 

EncSubt{m) = { t \ (3t', k' e T{F, Vars)) | ((t = [ty) V (t = [t']^)V 

^t = h{t'))y{t = sig,,{t'))) 

Further, if S* is a set of strands, then, it's encrypted subterms are the encryptions of it's 
subterms: 

EncSubt{S) = {t I (3t')((t' G SubTerms{S)) A {t e EncSubt{t')))}. 

Definition 8. [NUT] 

A protocol P is U\JT- Satisfying, i.e., 

mT-SaUsfymg{P) iff 

(a) An encrypted subterm of the protocol is not STD-Unifiable with any other non- 
variable subterm of the protocol: 



(Vtl,t2 



/ / (t2 ^ Vars) A \ 
{ti G EncSubt{P))A 
{t2 e Sub Terms (P)) A 



\ 



((Vai,(T2)(f/sTD(tiai,t2a2) = {})) 



{b) A key used in an asymmetric encryption is not a free variable: 



(Vt G EncSubt{P)) ( (3t', k){{t = [t']^) ^{ki Vars)) ) . 

(c) If an XOR term, say ti © . . . ©t„, is a subterm of P, then, no two terms in {ti, 
are STD-Unifiable, unless they are equal: 



The first requirement can be satisfied by simply inserting distinct component numbers 
inside distinct encrypted subterms of a protocol, as was done in the NSL® protocol in 
Section [21 

The second requirement can be satisfied by adding a distinct constant to the key of an 
asymmetric encryption, if it was a free variable. For instance, [1, A'^, can be trans- 
formed into [1, Na, B\^j^y 

The third requirement can also be satisfied in much the same way as the other two. 
We can add a distinct constant to each textually distinct variable inside an XOR term. For 
instance, the second message in the original NSL® protocol was 
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%NA®B,NB\pk{A)- 

With the number '2' inside this message and numbers '1' and '3' inside the others, the 
protocol satisfied the first requirement above, but was still vulnerable to an attack. The 
third requirement above requires that the second message be changed to, 

[2,[4,iV^]©[5,i?],iVBUA), 

that prevents the attack. 

Next we deal with multi-protocol environments. Our requirement defined below, namely 
/i-NUT, ensures that encrypted terms in different protocols cannot be replayed into one an- 
other. The requirement is an extension of Guttman-Thayer's suggestion to make encrypted 
terms distinguishable across protocols, to include XOR as well. 

We first define a set XorTerms as: 

{t I (3ti, ...,tne T{F, Vars)){ti © . . . © t„ = t)}. 
We are now ready to state the main requirement formally: 

Definition 9. [/i-NUT] 

Two protocols Pi and P2 are fj,-N\JT- Satisfying, i.e., fj,-N\JT- Satisfying {Pi, P2) iff: 

1. Encrypted subterms in both protocols are not STD-Unifiable after applying any sub- 
stitutions to them: 



{Wti e EncSubt{Pi),t2 e EncSubt{P2)){{Wai,a2){UsTD{tiai,t2a2)) = {}). 

2. Subterms of XOR-terms of one protocol (that are not XOR-terms themselves), are not 
STD-Unifiable with any subterms of XOR-terms of the other protocol (that are not 
XOR-terms as well): 



Vti © . . . © t„ G SuhTerms(Pi), \ / ^f^^ " '/"^^ ^^^^J^'^' ' ' ' ' 

^ ' ' [ti,. .. ,tn,t[,. . .,t'^i XorTerms) ^ 



t'l © . . . © G SuhTerms{P2)] t, t' 



(Va,a')(?7sTD(to-,tV) = {}) 



The first requirement is the same as Guttman-Thayer suggestion. The second require- 
ment extends it to the case of XOR-terms, which is our stated extension in this paper. 

The NSL® protocol can be transformed to suit this requirement by tagging its encrypted 
messages as follows: 

Msgl.A^B: [nsle, iV^, 

Msg 2. 5 ^ A : [nsle, [nsl®, Na] © [nsl®, B],NB\pk{A) 
Msg3. A ^ B : [nsle,iVBU(ij) 
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The constant "nsle" inside the encryptions can be encoded using some suitable bit- 
encoding when the protocol is implemented. Obviously, other protocols must have their 
encrypted subterms start with the names of those protocols. 

We will later use this requirement in Section [S!2] to prove that this is sufficient to prevent 
all multi-protocol attacks on security protocols, even when they use the XOR operator. 

4 Some Lemmas 

In this section, we provide some useful lemmas that we will use later in our main theorems. 

• In Section 14. 1[ we prove that if two non- variable StdOps-terms, were obtained by 
applying two well-typed substitutions for the same term, then the unifier for the two 
terms is necessarily well-typed; 

• In Section we first introduce Baader & Schulz Combination Algorithm (BSCA) 
to find unifiers for UPs from two disjoint theories, say = Ei and =£;2 0. We will then 
prove that if the unifier for the i^i-UP from a given (Ei U -E'2)-UP, say F, is empty, 
then the combined unifier is simply equal to the unifier for the E2-IJF from F; 

• In Section |431 we prove that all ACUN-UPs formed by using BSCA on an original 
(S U A)-UP that does not have free variables in XOR terms, have only constants as 
subterms. 

4.1 Well-typed standard terms unify only under well-typed unifiers 

In our first lemma, we prove that two StdOps-temis obtained by instantiating the same 
StdOps-term, with well-typed substitutions, unify only under a well-typed substitution: 

Lemma 1. [Well-typed StdOps-terms unify only under well-typed unifiers] 

Ift is a non-variable term that is pure wrt =std theory: 

(t ^ Vars) A pure(t, =std), 

and ti, t2 are two terms that are also pure wrt =std theory, and obtained by applying 
sets of substitutions (J\ and 02 such that, 

ti = tai andt2 = ta2, 

and ai, a2 are well-typed: 

well-typed ((Ti) A well -typed (0-2), 
and every x/X G cri U cr2 is such that x is pure wrt =std-' 

(Vx/X G 0-1 U cr2)(pure(x, =std)), 
then, any unifier for ti and t2, will be necessarily well-typed: 

(Vr)((tir =STD t2T) well-typed(r)). 
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Proof. Let t = op(t[ 
Now, 



, t'^) where op G StdOps. 



tai 



op{t[ai,...,t'^ai) 



(from hypothesis), 
(from Def. [B 



Similarly, ^2 = op(t[a2, • . • , Let r be a set of substitutions. Then, we have that, 

ihT =STD t2T) ^ (Vi e {1, . . .,n}){t'-(TiT =STD t'iCT2T) . 

Without loss of generality, consider 



Then, since o"i and a"2 are well-typed, will be well-typed when: 

• Both t[ai and t[a2 are variables; or 

• t[ai is a variable and t[a2 is a constant; or 

• t[ai is a constant and t']^(T2 is a variable. 

For instance, if {t[ai e Vars) s.t. t[ai = X and (t']^a2 G Constants) s.t. t'ia2 = 
then, since well-typed (ai) and well-typed (0-2)5 we have. 



{t'lai G Constants] t[a2 G Vars)V A (t'lCrir =std t\a2T) =^ well-typed(r) (2) 



\ {t[ai G Vars;t[a2 G Constants)) I 

Given this, let us now assume for the purpose of induction that a unifier for t\ai and 
t'^(T2 will be well-typed when both t\ai and t'ia2 are compound terms, i.e., 

{t\ai,t'2(J2 ^ Vars U Constants) A (t'lCrir =std t[a2T) =^ well-typed (r). (3) 

Combining Q and ([3]), we can conclude that all the unifiers for t'-ai and t'-a2 (i G 
{1, . . . , n}) are well-typed: 



t[(rir =STD tio-2i"- 



t?/pe(t'J = type{X) = type{y). 



and well-typed (y/X). 
Thus, we conclude: 




(Vz G {1, . . . , n}){{t[aiT =STD t-fT2r) ^ well-typed (r)). 
This implies that our hypothesis is true: 



{taiT =STD ta2T) =^ well-typed (r). 



□ 
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4.2 Combined unifier when one of the unifier is empty 

Our next two lemmas are related to the combined unification of {Ei U £'2)-UPs, where =Ei 
and = E2 are disjoint. 

We first define the variables of a UP, T, as Vars{T), where every element of Vars{T) is 
a variable and a subterm of a UP in T: 

Vars{T) = {X \ {3s = t e T){{{X □ s) V (X C t)) A (X G Vars))}. 
Similarly, 

Constants{T) = {X \ {3s = t e T){{{X \Z s) W {X \Z t)) A {X e Constants))}. 

Further, we will say that term t belongs to a UP, say F, even if t is one of the terms of 
one of the problems in F. i.e., 

{teT)^{3t'){t = t' eV). 

We will now explain how two UAs Ae^ and Ae2 for two disjoint theories =e^ and 
=E2 respectively, may be combined to output the unifiers for a {Ei U £'2) -UP using Baader 
& Schulz Combination Algorithm (BSCA) We give a more detailed explanation in 
Appendix lA. 21 using an example UP for the interested reader. 

BSCA takes as input a {Ei U -E'2)-UP, say F, and applies some transformations on them 
to derive F5.1 and F5.2 that are sets of Ei-VF and £'2-UPs respectively. We outline the steps 
in this process below (we formalize these steps directly in Lemma[3] where we use BSCA 
in detail): 

Step 1 (Purify terms) BSCA first "purifies" the given {E = EiU E2)-UF, F, into a new 
UP, Fi, with the introduction of some new variables, such that, all the terms are "pure" wrt 

=Ei or =E2- 

Step 2. (Purify problems) Next, BSCA purifies Fi into F2 such that, every UP in F2 has 
both terms pure wrt the same theory, =£;^ or =e2- 

Step 3. (Variable identification) Next, BSCA partitions Vars (F2) into a partition VarldP 
such that, each variable in F2 is replaced with a representative from the same equivalence 
class in VarldP. The result is F3. 

Step 4. (Split the problem) The next step of BSCA is to split F3 into two UPs F4.1 
and F4.2 such that, each set has every problem with terms that are pure wrt =£;^ or =^2 
respectively. 
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Step 5. (Solve systems) The penultimate step of BSCA is to partition all the variables 
in T3 into a size of two: Let p = {Vi, V2} is a partition of Vars{T3). Then, the earlier 
problems 1, r4 2) are further split such that, all the variables in one set of the partition 
are replaced with new constants in the other set and vice-versa. The resulting sets are Fs.i 
and r5.2. 

Step 6. (Combine unifiers) The final step of BSCA is to combine the unifiers for Fs.i 
and r5.2, obtained using Ae-^ and Ae^' 

Definition 10. [Combined Unifier] 

Let r be a E-UP where {Ei U E2) = E. Let (Ji G AEi{T^,i), i G {1,2} and let 
Vi= Vars{T^,i), I e {1,2}. 

Suppose '< ' is a linear order on VarsiV) such that Y < X ifX is not a subterm of an 
instantiation ofY: 

(VX,F G Vars{T)){{Y < X) ^ C Ya)). 

Let least (X, T,<) be defined as the minimal element of set T, when ordered linearly by 
the relation '<'. i.e., 

least(X,T,<) ^ (VF G T){{Y ^ X) ^ {X < Y)). 
Then, the combined UAfor T, namely AeiuE2' '■^ defined such that, 

Ae.ue^O^) = W I {3ai,a2){ia = ai (T2) A (ai G Ae,{T5,i)) A (^2 G Ae,{T5,2)))}. 
where, if a = ai Q a2, then, 

• The substitution in a for the least variable in Vi and V2 is from ai and (T2 respectively: 

(Vi G {1, 2})((X G Vi) A least(X, Vars{T), <) {Xa = Xai)); and 

• For all other variables X, where each Y with Y < X has a substitution already 
defined, define Xa = Xa^a (z G {1, 2}); 

(Vz G {1, 2})((VX G Vi){iyY){iY < X) A (3Z)(Z/F G a))) ^ {Xa = Xaia)). 

It has been proven in ^ that the combination algorithm defined above is a (.Ei U £'2)- 
UA for any {Ei U £'2)-UP if Ei-\]A and E2-\]A are known to exist and if =Ei, =E2 
disjoint. The combination of STD and ACUN UAs which is of interest to us in this paper 
has been explained to be finitary (i.e., return a finite number of unifiers) when combined 
using BSCA BS. 

We now prove a simple lemma which states that the combined unifier of two unifiers is 
equal to one of the unifiers, if the other unifier is empty. 



23 



Lemma 2. [Combined unifier when one of the unifier is empty] 

Let r, a, cTi, (T2, V^i, V2, and < be as defined above in Def. [70] Then, 

(a = CTi a2) A ((72 = {}) A {V2 = {}) ^ {a = ai). 

Proof. Let Vars^a) = {X \ _/X e a}. 
From Def.[lOl if cr = ui (72, then, 

(Vz G {1, 2}){{X G Vi) A least(X, Vars{T), <) ^ {Xa = Xai)). 
But since cr2 = {} and V2 = {}, we have, 

(VX G 1/1 U 1/2)(least(X, 7ars(r), <) {Xa = Xcxi)). (4) 
Also from Def.\M 

(VX G \/i U V2)((Vr)((r < X) a (3Z)(Z/F G a) ^ (X(T = Xaia))). 
Again, since 0-2 = {} and V2 = {}, this implies, 

(VX eViU V2){{\/Y){{Y < X) A {BZ){Z/Y e a) ^ {Xa = Xai))). (5) 
Combining Q and ([5]), we have, 

(VXGl/iUl/2)(Xcr = Xcri). (6) 

Further, since a2 = {}, and V2 = {}, we have Vars{a) = Vars{ai) = Vi and hence, 
combining this with we have a = ai. 

□ 

4.3 ACUN-UPs in \^\J J- Satisfying protocols have only constants as 
subterms 

Our next lemma is a bit lengthy. This lemma is the lynchpin of the paper and forms the 
crux of our two main theorems in Section [S] 

It concerns combined UPs involving the disjoint theories, =std and =acun- We prove 
that, if we follow BSCA for finding unifiers for a (S U A)-UP, say F, that do not have 
free variables inside XOR terms, the terms in all the ACUN-UPs (r5.2) from those will 
always have only constants as subterms. Consequently, we will end up in an empty set of 
substitutions returned by the ACUN-UA for r5.2, even when their terms are equal in the 
=AcuN theory. 

Lemma 3. [ACUN-UPs have only constants as subterms] 

Let F = {m =sua t} be a {SU A)-UP that is (S U A)-Unifiable, and where no subterm 
ofm or t is an XOR term with free variables: 



24 



(Vx) , ^ ^ ; ^ (Vz G |1, . . . ,r2|)(xi ^ Vars) 

^ ^ \^ (x = Xi © . . . © x„) A (n > 1) ^ ^ ' ' » ^ 



(Vm' =ACUN G r5.2; x) ( (x □ m!) V (x C t') ^ (x G Constants) ) . 

Proof. Let o" be a set of substitutions s.t. cr g /IsuA(r). 

Then, from Def . [TOl (Combined Unifier), a G cii 0-2, where ai G ^sTD(r5.i) and 

(72 G ^ACUN(r5.2)- 

Suppose there is a term t in F with an alien subterm t' wrt the theory =acun (e-g- 
[1, nj^ © 6 © c with the alien subterm of [1, ria]^). 

Then, from the definition of r2, it must have been replaced with a new variable in r2. 

i.e.. 



(wtt')(( ^'^^^^^' = -®---®-^^]^ nx) ( =STD t' G r2)A ^ ^ .7. 

where NewVars C Vars \ Vars(r). 

Since XOR terms do not have free variables from hypothesis, it implies that every free 
variable in an XOR term in r2 is a new variable: 

Since every alien subterm of every term in F has been replaced with a new variable (|7]), 
combining it with dS]), XOR terms in r2 must now have only constants and/or new variables 
as sub terms: 

(yt,t') (^(^ (teTa) C^) ) ^ ^ NewVars U Constants)^ . (9) 
Let VarldP be a partition of Vars(T2) and = T2P, such that 
T2P = {s = p \ {s = p := s'p = t'p) A s' = f G r} 

where p is the set of substitutions where each set of variables in VarldP has been 
replaced with one of the variables in the set: 



p=l x/X\\ {yY,/XuY2/X2e p;vzpe VarldP) I (Fi = l2)A \ 

[ \ V iyi,y2^vw) J J J 

Can there exist a substitution X/Y in p such that Y G NewVars and X G Vars{T)1 
To find out, consider the following two statements: 
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• From (|7]), every new variable Y in r2 belongs to a STD-UP in 



(Vr e NewVars){iY E VarsiT^) (3t)(pure(t, =std) A Y =std t E T2))). 

• Further, from hypothesis, we have that XOR terms in T do not have free variables. 
Hence, every free variable is a proper subterrrOI of a purely =std term: 

(VX E Vars{T)) ( {3t ET){{Xnt)A pure(t, =std) A (X ^ t)) ) . 

The above two statements are contradictory: It is not possible that a new variable and 
an existing variable can be replaced with each other, since one belongs to a STD-UP, and 
another is always a proper subterm of a term that belongs to a STD-UP. 

Hence, VarldP cannot consist of sets where new variables are replaced by Vars{T). 

i.e.. 



,r r,Ti\f (Y,X E vip) A (Y E NewVars)A 
Y- v^v E VarldP) ^ ^ ^'^ ^ J^^^^j^ ^ ^^^^ ^ 



(10) 



Writing ([TOl) in ©, we have, 

(Vt,t') {^(^ (rjls) C^t) ) ^ ^ NewVars U Constants)^ . (11) 

Further, if a variable belongs to a UP of Fa, then the other term of the UP is pure wrt 
=STD theory: 



(VX E Vars{T-i),t) | | ? ^""^^^ ^'^^^ j ^ ^ NewVars) A pure(t, =std) 

Now suppose Vi,2 = {s = t \ (s = t G Fg) A pure(s, =acun) A pure(t, =acun)}, 
{K, V2} a partition of VarsiV) U NewVars, and 

r5.2 = r4.2/3, 

where, /9 is a set of substitutions of new constants to Vi : 



[i = {x/X \ {X eVi) A{x E Constants \ [ConstantsiV) U ConstantsiVr-^ {)))}. 
From hypothesis, r5.2 is ACUN-Unifiable. Hence, we have: 

(Vo-)((Vm' =ACUN t' E r5.2)(mV =acun t'a) ^ a E AAcuN(r5.2))- 
Now consider a a s.t. a E AACUN(r5.2). 



is a proper subterm oft'iftlZt'Aty^t'. 
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From (fTTI) . we have that XOR terms in Fs 2 have only new variables and/or constants 

7 

and from (fT2l) we have that if X G Vars(F5,2), then there exists t s.t. X =std t G F5.1 and 
t is pure wrt =std theory. 

Suppose V2 7^ {}. Then, there is at least one variable, say X G Vars (F5 2). This 
implies that X is replaced with a constant (say x) in F5 1. 

Since X is necessarily a new variable and one term of a STD-UP, this implies that x 
must equal some compound term made with StdOps. 

However, a compound term made with StdOps can never equal a constant under the 
=STD theory: 

{^op G StdOps; ti, . . . ,tn] X E Constants){x =std op{ti, . . . , tn)), 
a contradiction. 

Hence, cr = {},V2 = {} and our hypothesis is true that all XOR terms in F5,2 necessarily 
contain only constants: 

(Vm' =ACUN t' G F5,2; x) ( (x IZ m) V (x IZ t) ^ (a: G Constants) ) . 

□ 

5 Main Results 

In this section, we will prove our main results. We will first prove that H\JJ- Satisfying pro- 
tocols are not susceptible to type-flaw attacks in Section 15.11 We will then prove that 
fi-M\JT- Satisfying protocols are not susceptible to multi-protocol attacks in Section [S!2l 

5.1 NUT prevents type-flaw attacks 

We will now prove our first main result that H\JJ- Satisfying protocols will not have any 
type-flaw attacks. The main idea is to show that every unification when solving a constraint 
sequence from a H\JJ- Satisfying protocol results in a well-typed unifier. We follow the 
outline below: 

1. We will first establish that normal constraint sequences from H\JJ- Satisfying proto- 
cols do not contain variables in the target or term set of their active constraints (either 
freely or inside XOR terms), but only subterms of the initial term set; 

2. We then infer from Lemma[3]that if a (S U A)-UP, say F, does not have free variables 
inside XOR terms, then terms in it's F5.2 will have only constants as subterms; 

3. Next, we infer in Lemma[I]that UPs in F5 1 unify only under well-typed substitutions, 
if they were created from the same underlying term of the protocol, by applying 
two well-typed substitutions (which is true for semi-bundles from H\JJ- Satisfying 
protocols, under Assumption!!]); 
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4. Finally, the combined unifier for T is simply the unifier for T^ i, from Lemma |2] 
(Combined unifier when one of the unifier is empty), and hence is always well- 
typed. 

Theorem 1. UUT- Satisfying protocols are secure against type-flaw attacks in the =sua 
theory. 

Proof. From Def. [6] (type-flaw attacks), a protocol is susceptible to type-flaw attacks if a 
constraint sequence from a semi-bundle of the protocol is satisfiable only with a substitution 
that is not well-typed. 

We will show that this never happens; i.e., every satisfiable constraint sequence from a 
semi-bundle of a M\JT- Satisfying protocol is satisfiable only with a well-typed substitution. 

Let P be a H\JJ- Satisfying protocol, S a semi-bundle from P, and as a constraint 
sequence from S. Suppose cs is satisfiable with a substitution in the =sua theory, i.e., 

semi-bundle(S', P) A conseq(cs, S) A satisfiable(cs, _, =sua)- (13) 
From (HI) (satisfiability), suppose we have ri, . . . , r„ G Rules s.t. 

/ applicable(ri,cs,csi,{},(Ti,=suA)A \ 
applicable(r2, cs[, CS2, <ti, (T2, =sua) A . . . 

applicable(r„,c4_i,cs„,cr„_i,cr„, =sua)A . (14) 
simple(cs„)A 
y (Vz G {1, . . . , n})(cs^ = normalize{cSi)) j 

Now every cs • in (fT4l) is normalized. Hence, their active constraints do not have vari- 
ables in the targets or term sets. Further, since P is H\JJ- Satisfying, no term of the form 
ti © . . . (Btp (p > 1) can have a free variable in the set {ti, . . . , tp} (from NUT Condition 3). 
i.e.. 



(x ^ Vars{S))A 

(x G SubTerms{Sai)) 



active(m : T, cs-) A {p > 1) 
(Vi G {1, . . . ,n};x) | (x = m) V (x G {ti, . . . , tp})A 

(ti © . . . © tp G m U T) 

(15) 

From the set Rules it is clear that only un and ksub potentially change the set of substi- 
tutions, when applied to a constraint sequence, i.e.. 



(Vr G i?u/es) (applicable(r, _, _, a, a', _) A (a C a') ^ (r = un) V (r = ksub)). (16) 
Consider rules un and ksub: 



applicable(un, cs, cs', a, a', =sua) (3m, T, t) 



active(m : T U t, cs) A (cs' = cs^T""cs^r)A 
(a' = a U r) A (r G t/suA({m =sua t})) 
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/ active(m : T U [t]^,cs)A 
applicable(ksub, cs, cs', a, a', =sua) ^ (3m, T, t) {cs' = cs<T^[mT : Tr U [t]^r]'^cs>r) A 

\ (a' = a U r) A (r G f/suA({A; =sua pk{e)})) 

Suppose r = {m =sua t} where m = m'(Jm.a and t = tVtcr and for some r, r' G P, 
rcTm, rat G 5'. 

Suppose r G f/suA(r). Then, using Def. [TOl (Combined Unifier), let r G tstd ^acun 

where rsTD e ^SToirs.i) and tacun e ^ACUN(r5.2)- 

From (fT5l) . we can infer that the conditions of Lemma [3] (AC UN UPs have only con- 
stants) are met: 

(Vx) f ^ ' \.f IN ^ (V? G {1, . . . ,n})(xi ^ Vars). (17) 
And therefore, we infer from Lemma [3] that: 

(Vr5.2; Tacun e ^AcuN(r5.2))(TAcuN = {})• (18) 

Now consider problems in V^ i. Suppose (mi, ti) G T^ i. Let mi = xam.apoL and 
^1 = yo'tO'po!, where cr is as defined in rule un; x,y E Sub Terms (P); p as defined in 
Lemma[3]and a is a set of substitutions s.t. 

Ts.i = r4.ia, 
where, a substitutes new constants to V2: 

a = {x/X I {X G Vars(r5,2)) A (x G Constants \ Constants{r))} . 

From LemmalU we have that Vars{T^^2) = {}■ Hence, a = {}. 

Also from Lemma[3l we have that, whenever F is (S U A)-Unifiable, r4,2 will not have 
any variables of F, and F5.2 will not have any variables at all. Hence, we have that every 
partition of VarldP (defined in Lemma [3]) in which there is a variable of F, has only that 
variable and no others in the partition: 

{^vip G VarldP] X, F G vip){X G Vars{T) ^ X = Y). (19) 

Now, Vars{V^,i) = Vars{T) U NewVars. 
From (fT9l) . we have, 

(Vx/X G p)(X G Vars{T) well-typed (x/X)). (20) 

Now, 

• From (fT5l) . we have that m,t E SubTerms{Sa); 

• From BSCA, if m, t G SubTerms{Sa), and mi, ti ^ NewVars, then mi and ti must 
belong to Sub Terms (Sap); 
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• From NUT Conditions 1 and 3, if mi is STD-Unifiable with ti, then x must equal y. 

If X = y, since well-typed (cTm) and well-typed(crf) from As sumption [H (Honest agent 
substitutions are always well-typed), assuming well-typed(a), and well-typed(p) from (l20l) . 
we can infer from Lemma [U (Well-typed STD terms unify only under well-typed uni- 
fiers) that, well-typed (5), where mi6 =std ^26, if none of NewVars exist as subterms of 
nil or ti'. 

(Vmi =sTO h € r,0 ^ ^^^^^ ^ J^^^/^' ^ well-typed(5) j . 

(21) 

But what if mi or ti contain new variables as subterms? 

Now the type of the new variables is the type of compound terms that they replace: 

(VX e NewVars){X =acun ^ e ^ type{X) = type{t)). 

Suppose X/Y E p, where X,Y E NewVars (note that X or F cannot belong to 
Vars{T) from equation (flOl ) in Lemma[3]). 

7 7 
Suppose there exist some ti,t2 such that ti =std X belongs to Fs.i and ^2 =std Y 

belongs to Fs i. Suppose ti, t2 do not have any new variables as subterms. Then, from (|2T1) . 

we have well-typed(0), where ti9 =std hd, and hence, we have well-typed (X/F): 

(VX, Y E NewVars){{X/Y E p) ^ well-typed(X/F)). (22) 
Combining (|20l ) and (l22l) . we have, well-typed (p). 

Given this, using induction on terms, we conclude similar to concluding (|2TI) that every 
problem in F5.1 unifies under a well-typed substitution: 

7 

(Vmi =STD e F5.i)((mirsTD =std ^iT-std) well-typed (tstd))- 

Now, 

T = rsTD T"ACUN 

= rsTD {} (from[Il 

= Tstd- (from Lemma [2] (Combined unifier when one of the unifier is empty)) 

Since well-typed(rsTD) from above, this implies, well-typed (r). 

7 

Similarly, for ksub, we can conclude, well-typed (r), where r E ylsuA({^ =sua pk{e)}), 
provided k is not a variable, and indeed it is not by NUT Condition 2. 

So the only rules that potentially change the substitution (un, ksub) produce well-typed 
substitutions. We can apply this in ( fT6l) and write: 

(W e {n. . . . . rj) ( ( ) - ) ^ '''' 

Since all other rules except un and ksub do not change the attacker substitution, we can 
combine the above statement with (fT4l) and conclude: 
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/ applicable(ri,cs,csi,{},cri,=suA)A \ 
applicable(r2, cs\, CS2, cti, a2, =sua) A . . . 

applicable(r„,c<_i,cs„,(Tn-i,cr„, =sua)A ^ well-typed (24) 
simple(cs„)A 
y (Vz G {1, . . . ,n})(cs^ = normalize{cSi)) J 

(Note that we concluded well-typed(rsTD) assuming that a in rule un was well-typed. 
Thus, in (l24l) . ai is well-typed and inductively, all of (T2, . . . , cr„ are well-typed). 
Finally, we can combine the above statement with ( fT3l) and form: 



, „ ( semi-bundlefS', P) A conseqfcs, S')A \ ,, \ 

sa,isfLble(cs,.,=suA) j ^ well-.yped(a) j . 

From Def. [6] (type-flaw attack), this implies, 

-itypeFlawAttack(P, =sua)- 

Since we started out assuming that P is a H\JJ- Satisfying protocol, we sum up noting 
that MOT -Satisfying protocols are not susceptible to type-flaw attacks. 

□ 



5.2 ;U-NUT prevents multi-protocol attacks 

We will now prove that ii-M\JJ- Satisfying protocols are not susceptible to multi-protocol 
attacks. 

The idea is to show that if a protocol is secure in isolation, then it is in combination 
with other protocols with which it is fi-H\JJ- Satisfying. 

To show this, we will achieve a contradiction by attempting to prove the contrapositive. 
i.e., if there is a breach of secrecy for a protocol in combination with another protocol with 
which it is ii-M\JT- Satisfying, then it must also have a breach of secrecy in isolation. 

We will follow the outline below: 

1. We will first form a constraint sequence from a semi-bundle that has semi- strands 
from the combination of a secure protocol and another protocol with which it is 
fi-HDT- Satisfying; 

2. We will then form another sequence that can be formed solely from a semi-bundle of 
the secure protocol by extracting it from the constraint sequence of the combination 
of semi-bundles; 

3. Finally, we will show that any reduction rules to satisfy the former resulting in a 
breach of secrecy can be equally applied on the latter, resulting in a breach of secrecy 
in it as well (thereby achieving a contradiction). 

We are now ready to prove our second main theorem. 
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Theorem 2. In the =sua theory, if a protocol is secure for secrecy, then it remains so in 
combination with any other protocol with which it is fi-N\JT- Satisfying. 

Proof. Suppose Pi is a protocol that is secure for secrecy in isolation in the =sua theory, 
i.e., 

secureForSecrecy(Pi, =sua)- (25) 

Consider another protocol P2 such that, n-MliT- Satisfying (Pi, P2). Let, Si and S2 be 
two semi -bundles from Pi and P2 respectively: 

semi-bundle(S'i, Pi) A semi-bundle(S'2, P2). (26) 

Consider a constraint sequence comhcs ixom S comb = 5'iUS'2. i.e., conseq( com6cs, S'comb) 
Consider another constraint sequence isocs, where, 

(a) Targets in combes are targets in isocs if the targets belong to Si. 

(Vm : _ in combcs){{m G Terms{Si)) ^ (m : _ in isocs)). (27) 

(b) Term sets in combes are term sets in isocs but without terms from S2'. 



I mi'.Ti -< combes "12 : T2 \ 



Vmi : Ti, 
m2 : T2 in combes 



(mi : T{ ~<isocs mi : T2)A 
{3Ti, T^) I {Ti = Ti \ T-n A (T^ = T2 \ T^') 

V V (^^ ^ ^1" U e SubTerms{S2)) J J 

(28) 

Then, from Def . [5] (Constraints) we have that isocs is a constraint sequence from 5*1 
alone, i.e., conseq (zsocs, Si). 

Suppose combes and isocs are normalized. To achieve a contradiction, let there be a 
violation of secrecy in Scomb s.t. combes is satisfiable after an artificial constraint with a 
secret constant of Si, say sec, is added to it: 

{combes = [_:_,...,_: T]) A satisfiable( com6cs'" [sec : T], _, =sua)- (29) 

Suppose [ri, . . . , r„] = R, such that ri, . . . , r„ G Rules. Then, from the definition of 
satisfiability ([U), using P, say we have: 

f {combes = [_:_,...,_: r])A \ 
applicable(ri, combcs"^[see : T], combcsi, {}, Ui, =sua)A 

applicable(r2, combcs'i, eombes2, ai, 02, =sua) A ... A . (30) 

applicable(r„,, eombes'^_i, combeSn, o"„_i, o"„, =sua)A 
y s\mp\e{eombeSn) A (Vi G {1, . . . ,n}){combcs[ = normalize{combcSi)) j 

From their descriptions, every rule in Rules adds subterms of existing terms (if any) in 
the target or term set of the active constraint: 
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/ applicable(_, cs, cs , _, _, _) A activefm : T, cs)A \ , „ ,„ 

\^ active(m' : T', cs') A (x G T' U m') ) ^ ^ i) \ ' 

Since every combcs'^^ (z = 1 to n) in (l30l) is normalized, and since Pi and P2 are 
jjL-HijJ- Satisfying, we have that no XOR term in the target or term sets of any of combcs[ 
(z = 1 to n) have free variables: 

(active(m : T, combcs[) A (p G N)A \ 
(ti © . . . © tp G T U m) ^ . (32) 

(VjG{l,...,p})(t, ^ Vars) J 

Suppose chcombcs is a normal, child constraint sequence of combes and chisocs is a 
normal, child constraint sequence of isocs. 

un and ksub are the only rules that affect the attacker substitution. We will show that 
these are equally applicable on chcombcs and chisocs. Suppose: 

• r = {m =suA t}, is a (S U A)-UP and suppose m = m'acomb, t = t'acomb, where 
m' G SubTerms{Si); 

• Variables in cTcomb are substituted with terms from the same semi-bundle: 

(Vx/X G a,„„,)((3z G {l,2})(x,X G SubTerms{S,))). (33) 

(This is vacuously true if un or ksub were never applied on combes, to derive chcombcs, 
since a comb is then empty). 

• r is (S U A)-Unifiable. 

Let T G AsuA(r). Then, from Def. [TOl (Combined Unifier), r G tstd t^acun, where 

TSTD e AsTD(r5.i) and TacUN e AACUN(r5.2). 

Now from BSCA, if mi =std ti £ ^5.1, and 9 G ?7std({"^i =std ^i}), then we have 
the following cases: 

Variables. If mi, and/or ti are variables, from (l32l) and BSCA, they are necessarily new 
i.e., mi,ti G Vars \ Vars(T) (unless m and t are variables, which they are not, since 
chcombcs is normal). Hence, there are no new substitutions in 9 to Vars{T) in this case. 

Constants. If mi G Constants [Si], again from BSCA, ti cannot belong to Vars, and 
it must be a constant. If m^ is a fresh constant of Si, then ti must also belong to 5*1 
from As sumption [6] (freshness) and (l33l) . and if mi is not fresh, ti could belong to either 
SubTerms{Si) or UK from Assumption[5l Further, 6^ = {}. 
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Public Keys. If mi = pk{_), then ti must be some pk{_) as well. From BSCA, nii cannot 
be such that [_]^^ C m. Further, there cannot be an XOR term, say . . . © mi © . . . that is 
a subterm of m, from /i-NUT Condition 2. The only other possibility is that m = mi. In 
that case, t must also equal ti, whence, t can belong to IIK from assumption!?] (Intruder 
possesses all public-keys). Hence, we have that, {\/x/X G 6')((3z G {l,2})(x,X G 
Suh Terms {Si))). 

Shared keys, mi cannot be a long-term shared-key; i.e., mi 7^ sh{_, _), since from As- 
sumptions [21 and [3l they do not appear as interms and from the definition of Fs i, mi is 
necessarily an interm. 

Encrypted Subterms. Suppose mi = muacombP, ti = tnacombP, where mii,tii G 
EncSubt(Si U S2) and p is a set of substitutions from VarldP defined in Lemma[3l Then, 
from /i-NUT Condition 1 and (|3T1) . we have, mii,tii G EncSubt{Sj), where i G {1,2}. 
Hence, (Vx/X G e){{3i e {l,2}){x,X E Sub Terms (Si))). 

Sequences. If m^ is a sequence, either m must be a sequence, or there must be some 
. . . © mi © . . . belonging to SubTerms{{m, t}), from BSCA. But m and t cannot be se- 
quences, since chcombcs is normal. Hence, by /i-NUT Condition 2 and (|3T1) , mi,ti G 
SubTerms{Si)acombp, i e {1,2} and (Vx/X G e){{3i G {l,2})(x,X G 5n6rerms(5i))). 

In summary, we make the following observations about problems in Fs.i. 

If mi is an instantiation of a subterm in Si, then so is ti, or ti belongs to IIK: 

(Vmi = ti G r5.i)(mi G Sub Terms {Si) a comb P ^ G Sub Terms {Si) a comb P U IIK). 

(34) 

Every substitution in tstd has both its term and variable from the same semi-bundle: 

(Vx/X G rsTD)((3^ G {l,2})(x,X G 5u6rerm5(5i))). (35) 

Now consider the UPs in Fs 2. Applying (|32l ) into Lemma[3l we have that tacun = {}• 
Combining this with ( 1351 ). we have: 

(Vx/X G r)((3z G {l,2})(x,X G 5u6rerms(5i)(Tco™6)). (36) 

Suppose m = mi © . . . © mp and t = ti ® . ■ ■ ® tq, q > 1, x = mr, y = tr and 

=SuA X wherem" = m'l©. . .©m^,, s.t. (Vi, j G {1, . . . ,p'})(i j ^ rn'-r j^sua m'^r) 
and t" =suA y, where t" = © . . . © t'^,, s.t. (Vi, j G {1, . . . , g'})(? t',T ^sua t'^r). 

Informally, this means that, no two terms in {m'l, . . . , m^,} or {t'l, . . . , t'^,} can be canceled. 

Now, mr =sua tr implies, (Vz G {1, • • • ,p'})((3j G {1, • • • , q'}){m[Tp =std tj-rp)) 
withp' = q' . From fl34l) and /t-NUT, this means that m G Sub Terms {Si) a comb implies, t 
also belongs to Sub Terms {Si) a comb or IIK. 

Now since Vars{m')UVars{t') C Vars(5'i), we have, mVcomfc = rn'o'iso, ^^^t'acomb = 
t'cTiso, where acomb = (^iso U {x/X | x,X G SubTerms{S2)}. Combining this with (|36l) , 
we have that, m'acombT =sua t'ccombr m'a.sor =sua t'cr^^o^- 
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Combining these with (|27l) and (|28l) . we can now write: 

(Wchcombcs, chisocs) 



f applicable(un, chcombcs, chcombcs', cTcomb, o'comby =sua) \ 
chWdseq^chcombcs , combes, =sua)A 
cW\\dsec\{chisocs , isocs, =sua) =^ 
y applicable(un, chisocs, chisocs', aiso, c'^^^, =sua) / 



(37) 



where, the active constraint in chcombcs and chisocs only differ in the term sets: 



active(m : _ U t, combes) A active(m : _Ut, isocs)A \ 
(combes' = combes combes ^t) A (isocs' = isoes^T^isocsyT)/\ 1 

(^comi = (^comb U t) A (d^^^ = (7^,0 U t) A (t G f/suA({^7i =SuA t})) / 

From (l35l) we have, (Vt G Sub Terms {Si)){ta comb = taiso), and hence we have that 
all the rules in Rules \ {un, ksub} are applicable on the target of the active constraint of 
chisocs, if they were on chcombcs, provided they are applied on a term in Sub Terms (Si): 



applicable(r, chcombcs, chcombcs' , _, _, =sua)A 
(Vr G Rules) | active(m : _, chcombcs) A active(m' : _, chcombcs') A 

active(m : _, chisocs) 
( applicable(r, chisocs, chisocs', _, _, =sua) A active(m' : _, chisocs') ) 



(38) 



Similarly, all rules that are applicable on a term in the term set of the active constraint 
in chcombcs, say c, are also applicable on the same term of the active constraint in chisocs, 
say c' (provided the term exists in the term set of c', which it does from (l28l) and (|3TI)): 



applicable(r, chcombcs, chcombcs', _, _, =sua)A 
(Vr G Rules) ( active(_ : _ U t, chcombcs) A active(_ : _ U T', chcombcs') A 

active(_ : _U t, chisocs) 
( applicable(r, chisocs, chisocs' , _, _, =sua) A active(_ : _ U T', chisocs') ) . 

(39) 

Finally, we can combine, ^U^, dMI), dSSl), and ([37]) to infer: 



/ {isocs = (_:_,...,_: T)) A applicable(ri, isocs'^[sec : T], isocsi, {}, 0\, =sua)A \ 

applicable(r2, isocs'^, isocs2, 02, =sua) A ... A 

applicable(rp, isocs'^_Y, isocsp, crp_i, ap, =sua)A 
y simple(zsocSp) A {Wi G {1, . . . ,p})(zsocs^ = normalize{isocSi)) j 

(40) 

where [ri, . . . , r^] is a subsequence! of R (defined in[30l). 

This in turn implies satisfiable( isocs'" sec : T, a^, =sua) from the definition of satisfia- 
bility. 

^s' is a subsequence of a sequence s, if s = s'^ 
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We can then combine this with the fact that Si is a semi -bundle of Pi, and isocs is a 
constraint sequence of 5*1 and conclude: 

semi-bundle(5'i, Pi) A conseq(zsocs, ^i) A {isocs = [_:_,...,_: T])A 
sat\si\ab\e{isocs'^[sec : T], cTp, =sua)- 

But from Definition |7] (Secrecy), this implies, -isecureForSecrecy(Pi, =sua)> a contra- 
diction to the hypothesis. Hence, Pi is always secure for secrecy in the =sua theory, in 
combination with P2 (or any other set of protocols) with which it is ii-H\JJ- Satisfying. 

□ 

6 Conclusion 

In this paper, we provided formal proofs that tagging to ensure non-unifiability of distinct 
encryptions prevents type- flaw and multi-protocol attacks under the AC UN properties in- 
duced by the Exclusive-OR operator. We will now discuss some prospects for future work 
and related work. 

6.1 Future work 

Our results can be achieved under other equational theories the same way as we achieved 
them under the ACUN theory: When we use BSCA, the unification algorithms for the other 
theories will return an empty unifier, since their problems will have only constants as sub- 
terms. Hence, unifiers only from the standard unification algorithm need to be considered, 
which are always well-typed for Satisfying protocols. In addition, this reasoning has 
to be given within a symbolic constraint solving model that takes the additional equational 
theories into account (the model we used, adapted from ^ was tailored to accommodate 
only ACUN). 

Our result on type-flaw attacks is obviously independent of security properties: It is 
valid for any property that can be tested on all possible protocol execution traces. Hence, 
we conjecture that it will also be valid for properties such as observational equivalence, 
which has been of interest to many protocol researchers of late (e.g. [l3l[T7l)- However, this 
property has been traditionally defined only in the applied pi-calculus. To use the results of 
this paper, we would have to first define an equivalent definition with symbolic constraint 
solving which is the model used in this paper (perhaps by extending ifTBl ). 

We achieved our result on multi-protocol attacks, specifically for secrecy. The reason 
for this was that, in order to prove that attacks exist in isolation, if they did in combination, 
we had to have a precise definition as to what an "attack" was to begin with. However, 
other properties such as authentication and observational equivalence can be considered on 
a case-by-case basis with similar proof pattern. 

At the core of our proofs is the use of BSCA. However, their algorithm only works 
for disjoint theories that do not share any operators. For instance, the algorithm cannot 
consider equations of the form, 

[a, 6] © [c,rf] = [a®c,b®d]. 
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We plan to expand our proofs to include such equations in future. However, it can 
be easily seen that the proof of Theorem [T] falls apart under this equation. For instance, 
consider the following unification problem: 

[nonce, A^^] = [nonce, ri;,] © [agent, a] © [agent, 6]. 

Now this problem is not unifiable under =sua theory, but it is when we add the new 
equation above to the theory, since A^^ can be substituted with © a © 6 to make the terms 
equal, which is an ill-typed substitution. It does not seem that a similar effect exists on 
multi-protocol attacks, but we intend to investigate further in that direction. 

The most significant advantage of being able to prevent type-flaw attacks is that analy- 
sis could be restricted to well-typed runs only. This has been shown to assist decidability 
results in the standard, free theory ||28l |40ll but not under monoidal theories. We are cur- 
rently in a pursuit to achieve a decidability result for protocol security in the presence of 
XOR. 

6.2 Related work 

To the best of our knowledge, the consideration of algebraic properties and/or equational 
theories for type-flaw and multi-protocol attacks is unchartered waters with the exception 
of a recent paper [|9l. 

Type-flaw attacks. Type-flaw attacks on password protocols were studied by Malladi et 
al. in [|3n . That is the closest that we know about any study of type-flaw attacks where the 
perfect encryption assumption was relaxed. Some recent works studied type-flaw attacks 
using new approaches such as rewriting |[38l . and process calculus LySa |fT9l . However, 
they do not discuss type-flaw attacks under operators with algebraic properties. 

Recently in Il34l , we gave a proof sketch that tagging prevents type-flaw attacks even 
under XOR. The current paper is an extended, journal version of Il34ll with the addition of a 
new result for multi-protocol attacks. 

A proof was presented in Malladi's PhD dissertation ||29l that type-flaw attacks can 
be prevented by component numbering with the constraint solving model of Il37l| as the 
framework. A similar proof approach was taken by Arapinis et al. in [1] using Comon et 
al.'s constraint solving model [|T2ll as the framework. In Q, we used the proof style of ||29l 
to prove the decidability of tagged protocols that use XOR with the underlying framework 
of [|5l which extends [|37l with XOR. That work is similar to our proofs since we too use the 
same framework ([!5|). Further, we use BSCA as a core aspect of this paper along the lines 

ofm. 

Multi-protocol attacks. Kelsey et al. in their classical work [|25l showed that for any 
protocol, another protocol can be designed to attack it. Cremers studied the feasibility 
of multi-protocol attacks on published protocols and found many attacks, thereby demon- 
strating that they are a genuine threat to protocol security [16]. However, Cremers did not 
consider algebraic properties in the analysis. 
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A study of multi-protocol attacks with the perfect encryption assumption relaxed were 
first studied by Malladi et al. in |[32l through "multi-protocol guessing attacks" on password 
protocols. Delaune et al. proved that these can be prevented by tagging in 

The original work of Guttman et al. in f2T\ assumed that protocols would not have 
type-flaw attacks when they proved that tagging/disjoint encryption prevents multi-protocol 
attacks. But a recent work by Guttman seems to relax that assumption [20]. Both ETTl 
and II20I use the strand space model P2ll . Our protocol model in this paper is also based 
on strand spaces but the penetrator actions are modeled as symbolic reduction rules in the 
constraint solving algorithm of [El [371, as opposed to penetrator strands in ll42ll . Cortier- 
Delaune also seem to prove that multi-protocol attacks can be prevented with tagging, 
which is slightly different from |[2T]| and considers composed/non- atomic keys |[T5]| . They 
too seem to use constraint satisfiability to model penetrator capabilities. 

None of the above works considered the XOR operator or any other operator that pos- 
sesses algebraic properties. 

In a recent paper that is about to appear in the CSF symposium, Ciobaca and Cortier 
seem to present protocol composition for arbitrary primitives under equational theories with 
and without the use of tagging [[9|. Their results seem very general and broadly applicable. 
As future work, they comment in the conclusion of that paper that it is a challenging open 
problem to address cases where multiple protocols uses XOR, which is solved in this paper. 

XOR operator. Ryan and Schneider showed in ||4T1| that new attacks can be launched on 
protocols when the algebraic properties of the XOR operator are exploited. Li [0, Chevalier 
et al. described the first NP-decision procedure to analyze protocols that use the XOR 
operator with a full consideration of its algebraic properties. We use an adapted version 
of their NSL protocol in this paper as a running example. In an impressive piece of work. 
Chevalier also introduced a symbolic constraint solving algorithm for analyzing protocols 
with XOR, which we use as our framework in this paper [O. 

In an interesting work ll26l . Kuesters and Truderung showed that the verification of 
protocols that use the XOR operator can be reduced to verification in a free term algebra, 
for a special class of protocols called ©-linear protocol^ so that ProVerif can be used for 
verification. 

Chen et al. recently report an extension of Kuesters-Truderung to improve the efficiency 
of verification by reducing the number of substitutions that need to be considered (thereby 
improving the performance of ProVerif), and a new bounded process verification approach 
to verify protocols that do not satisfy the ©-linearity property [|4|. 

These results have a similarity with ours, in the sense that we too show that the algebraic 
properties of XOR have no effect when some of the messages are modified to suit our 
requirements. 

A few months back, Chevalier-Rusinowitch report a nice way to compile cryptographic 
protocols into executable roles and retain the results for combination of equational theories 
in the context of compiling Like other works described above, their work does not 
seem to use tagging. 

^Kuesters-Truderung define a term to be ©-linear if for each of its subterms of the form s (Bt, either t or 
s is ground. 



38 



Acknowledgments. I benefited greatly from the following people's help and guidance: 
Jon Millen (MITRE, USA) clarified numerous concepts about constraint solving and some 
crucial aspects of XOR unification. Pascal Lafourcade (UFR IMA, France) gave several 
useful comments and reviews of the paper. Yannick Chevalier (IRIT, France) explained 
some concepts about his extensions to Millen-Shmatikov model with XOR. More impor- 
tantly, our joint work toward decidability in |I71 helped in laying the structure of proofs in 
this paper. 

Funding. This work funded in part by a doctoral SEED grant by the Graduate School at 
Dakota State University. I am particularly grateful to Dean Tom Halverson (college of BIS) 
and Dean Omar El-Gayar (college of graduate studies and research) for their continued 
support for my research. 

References 

[1] M. Arapinis and M. Dufiot. Bounding messages for free in security protocols. In 
FSTTCS 2007: Foundations of Software Technology and Theoretical Computer Sci- 
ence, pages 376-387, 2007. 

[2] F. Baader and K. U. Schulz. Unification in the union of disjoint equational theories: 
Combining decision procedures. J. of Symbolic Computation, 21:211-243, 1996. 

[3] B. Blanchet. A computationally sound mechanized prover for security protocols. In 
IEEE Symposium on Security and Privacy, pages 140-154, Oakland, California, May 
2006. 

[4] X. Chen, T. V. Deursen, and J. Pang. Improving automatic verification of security 
protocols with xor. In 11th Conference on Formal Engineering Methods - ICFEM'09, 
2009. 

[5] Y. Chevalier. A simple constraint solving procedure for protocols with exclusive-or. 
Presented at Unif2004 workshop, 2004. available at http://www.lsv.ens-cachan.fr/un- 
if/past/unif04/program.html. 

[6] Y. Chevalier, R. Kiisters, M. Rusinowitch, and M. Turuani. An NP decision procedure 
for protocol insecurity with XOR. In Proc. 18^^' Annual IEEE Symposium on Logic in 
Computer Science (LICS'03), pages 261-270. IEEE Computer Society Press, 2003. 

[7] Y. Chevalier and S. Malladi. Decidability of "real- world" context-explicit security 
protocols. Tech. Report, SD SEED Grant project, 2007. 

[8] Y. Chevalier and M. Rusinowitch. Compiling and securing cryptographic protocols. 
Information Processing Letters, 1 10(3): 1 16-122, 2010. 

[9] S . Ciobaca and V. Cortier. Protocol composition for arbitrary primitives. In To Appear 
Proceedings of Computer Security Foundations Symposium. IEEE, 2010. 



39 



[10] J. A. Clark and J. Jacob. A Survey of Authentication Protocol Literature: Version 1.0. 
University of York, Department of Computer Science, November 1997. 

[11] E. Cohen. Taps: A first-order verifier for cryptographic protocols. In Computer 
Security Foundations Workshop (CSFW), pages 144-158, 2000. 

[12] H. Comon-Lundh, V. Cortier, and E. Zalinescu. Deciding security properties for cryp- 
tographic protocols, application to key cycles. CoRR, abs/0708.3564, 2007. 

[13] R. Corin, S. Malladi, J. Alves-Foss, and S. Etalle. Guess what? Here is a new tool 
that finds some new guessing attacks. In Workshop in the Issues of Theory of Security 
(WITS03), Poland, Warsaw, April 2003. 

[14] V. Cortier and S. Delaune. Safely composing security protocols. Formal Methods in 
System Design, 2008. To appear. 

[15] V. Cortier and S. Delaune. Safely composing security protocols. Formal Methods in 
System Design, 34(1): 1-36, 2009. 

[16] C.J.F. Cremers. Feasibility of multi-protocol attacks. In First international conference 
on availability, reliability and security (ARES 2006), pages 287-294. IEEE, April 
2006. 

[17] S. Delaune, S. Kremer, and M. D. Ryan. Composition of password-based protocols. In 
Proceedings of the 21st IEEE Computer Security Foundations Symposium ( CSF'08), 
pages 239-251, Pittsburgh, PA, USA, June 2008. IEEE Computer Society Press. 

[18] S. Escobar, C. Meadows, and J. Meseguer. Equational cryptographic reasoning in the 
maude-nrl protocol analyzer. Electr Notes Theor Comput. Sci., 171(4):23-36, 2007. 

[19] H. Gao, C. Bodei, and P. Degano. A formal analysis of complex type flaw attacks on 
security protocols. In AMAST 2008: Proceedings of the 12th international confer- 
ence on Algebraic Methodology and Software Technology, pages 167-183. Springer- 
Verlag, 2008. 

[20] J. D. Guttman. Cryptographic protocol composition via the authentication tests. In 
(To Appear )Foundations of Software Science and Computation Structures ( FOSSACS, 
2009). LNCS, March 2009. 

[21] J. D. Guttman and F. J. Thayer. Protocol Independence through Disjoint Encryption. 
13th IEEE Computer Security Foundations Workshop, pages 24-34, July 2000. 

[22] J. Heather, G. Lowe, and S. Schneider. How to prevent type flaw attacks on security 
protocols. In Proc. 13th Computer Security Foundations Workshop, pages 255-268. 
IEEE Computer Society Press, July 2000. 

[23] J. Heather, G. Lowe, and S. Schneider. How to prevent type flaw attacks on security 
protocols. Journal of Computer Security, 1 1(2):217-244, 2003. 



40 



[24] J. Heather and S. Schneider. Towards automatic verification of security protocols 
on an unbounded network. In Proc. 13th Computer Security Foundations Workshop, 
pages 132-143. IEEE Computer Society Press, 2000. 

[25] J. Kelsey, B. Schneier, and D. Wagner. Protocol Interactions and the Chosen Protocol 
Attack. In Proc. Security Protocols - 5th International Workshop, pages 91-104. 
LNCS 1361, 1997. 

[26] R. Kiisters and T. Truderung. Reducing protocol analysis with xor to the xor-free case 
in the horn theory based approach. In ACM Conference on Computer and Communi- 
cations Security, pages 129-138, 2008. 

[27] G. Lowe. Some new attacks on cryptographic protocols. In Proceedings of 9th Com- 
puter Security Foundations Workshop. IEEE, 1996. 

[28] G. Lowe. Towards a completeness result for model checking of security protocols. 
Journal of Computer Security, 7(2-3):89-146, 1999. 

[29] S. Malladi. PhD Dissertation - Formal analysis and verification of password protocols. 
University of Idaho, 2004. 

[30] S. Malladi. Protocol independence through disjoint encryption under Exclusive-OR. 
In Proceedings of Foundations of Computer Security and Privacy (FCS-PrivMod), 
2010. 

[31] S. Malladi and J. Alves-Foss. How to prevent type-flaw guessing attacks on pass- 
word protocols. In Workshop on Foundations of Computer Security (FCS03), Ottawa, 
Canada, June 2003. 

[32] S. Malladi, J. Alves-Foss, and S. Malladi. What are multi-protocol guessing attacks 
and how to prevent them. In 11th IEEE International Workshops on Enabling Tech- 
nologies: Infrastructure for Collaborative Enterprises (WETICE 2002), pages 77-82. 
IEEE Computer Society, June 2000. 

[33] S. Malladi and G. S. Hura. What is the best way to prove a cryptographic proto- 
col correct? (position paper). In Workshop on Security in Systems and Networks 
(SSN 2008), IEEE International Symposium on Parallel and Distributed Processing 
(IPDPS 2008), pages 1-7, 2008. 

[34] S. Malladi and P. Lafourcade. How to prevent type-flaw attacks under algebraic prop- 
erties. In Security and Rewriting Techniques. Affiliated to CSF09, July 2009. 

[35] C. Meadows. Analysis of the Internet Key Exchange protocol using the NRL protocol 
analyzer. In Proceedings, 1999 IEEE Symposium on Security and Privacy. IEEE 
Computer Society Press, May 1999. 

[36] C. Meadows. A procedure for verifying security against type confusion attacks. In 
Proc. 16th Computer Security Foundations Workshop, pages 62-74. IEEE Computer 
Society Press, 2003. 



41 



[37] J. Millen and V. Shmatikov. Constraint solving for bounded-process cryptographic 
protocol analysis. In Proc. ACM Conference on Computer and Communication Secu- 
rity, pages 166-175. ACM press, 2001. 

[38] M. Nesi and G. Nocera. Deriving the type flaw attacks in the otway-rees protocol by 
rewriting. Nordic J. of Computing, 13(l):78-97, 2006. 

[39] R. Ramanujam and S. R Suresh. Tagging makes secrecy decidable for unbounded 
nonces as well. In 23rd FST&TCS, Lecture Notes in Computer Science, volume 2914, 
pages 323-374, December 2003. 

[40] R. Ramanujam and S. R Suresh. Decidability of context-explicit security protocols. 
Journal of Computer Security, 13:135-165, 2005. 

[41] R Y. A. Ryan and S. A. Schneider. An attack on a recursive authentication protocol, 
a cautionary tale. Inf. Process. Lett., 65(1):7-10, 1998. 

[42] R J. Thayer, J. C. Herzog, and J. D. Guttman. Strand spaces: Why is a security 
protocol correct? In Proc. IEEE Symposium on Research in Security and Privacy, 
pages 160-171. IEEE Computer Society Press, 1998. 

[43] M. Tuengerthal. Implementing a Unification Algorithm for Protocol Analysis with 
XOR. Technical Report 0609, Institut fiir Informatik, CAU Kiel, Germany, 2006. 



42 



A Appendix 

In the appendix, we first provide an index for the notation and terminology in Section IaTI 
We then provide a detailed formalization of Baader & Schulz Algorithm for combined 
theory unification ^ in Section lAill 

A.l Index - Notation and Terminology 
A.l.l Symbols 



[ti, . . . , tn] Sequence of terms ti through t„, that are linearly ordered. 

[t]]^ t encrypted using k with an asymmetric encryption algorithm. 

[t]^ t encrypted using k with a symmetric encryption algorithm. 

h{t) The hash of t using some hashing algorithm. 

sigk{t) The signature of t using a private key that is verifiable with the 

public -key k. 

ti® . . .®tn Terms ti through t„ XORed together. 

^ s'^S2 indicates concatenation of two sequences si and S2- 

-<t A linear order relation obeyed by the elements of a sequence t; 

Read U -<t tj as U precedes tj in the sequence t; 

nr=i '^i Sequence concatenation of ci through c„. 

IZ Subterm relation; t \Z t' indicates t is a part of t'. 

^ Interm relation; t t' implies that t equals t' or an interm of one of the 

elements of t' if t' is a sequence or is part of the plain-text, 
if t' is an encryption; 

V{X) Power-set of X; 

x/X X is substituted for the variable X; 

a,T, p,a, (3 Sets of substitutions; 

E Sets of sets of substitutions; 
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t =Tht' t is equal to t' in the theory Th; 

r A unification problem or a finite set of equations; 

Ae Unification algorithm that returns the most general unifiers 

in the theory = e for a i?-Unification Problem; 

(SUA) STDUACUN; 

Fa Obtained from r2 such that, variables in r2 are replaced by other 

variables in their equivalence classes in a variable identification 
partition on the variables called VarldP; 

^i.i split into problems from only the theory Thi, 

r4.2 split into problems from only the theory Th2', 

Vi,V2 {Vi, V2} is a partition on the variables of Fa; 

F5.1 Variables in F4.1 that belong to V2 are replaced by new constants; 

r5.2 Variables in F4 2 that belong to Vi are replaced by new constants; 

a, f3 The sets of substitutions for the replacement of variables with 
new constants in F5.1 and F5.2; 
< X <Y indicates that variable X is not a subterm of an instantiation of Y; 

ui (T2 is the combined unifier of cti and a2 in the theory Thi U Th2, 

if (Ti is the unifier for F5.1 and (T2 is the unifier for F5.2; 

m : T A constraint describing that term m should be derivable by 
using attacker actions on the set of terms T; 

+t A node that sends a term t; 

—t A node that receives a term t\ 
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A.1.2 Words 



Vars 
Constants 
in 

T(F, Vars) 

Terms 

type{) 

SubTerms{) 

EncSubt{) 

well-typed() 

STD 
ACUN 

disjoint(r/ii, T/ia) 
ast{t',t, Th) 

pure(t, Th) 

New Vars 



Set of all variables; 



Set of all constant values that are indivisible (nonce, agent etc.) 
a in as represents a is an element in the sequence as; 

Term algebra; Set of all terms using function symbols 

F and Vars 



Overloaded function returning all the terms in a set of terms, strands, 
or set of strands. 

Function returning the type of a term (agent, nonce, 
nonce encrypted with a public -key etc.) 

Overloaded function returning all the subterms in a set of terms, strands, 
protocol, or semi-bundle. 

Overloaded function returning all the encrypted subterms 
of a term, or set of strands; 

Predicate returning true if a substitution or sets of substitutions 
are such that values are substituted to variables of the same type; 

Set of identities involving StdOps-Tenns that is the basis 
for =STD theory; 

Set of identities involving only the © operator to 
reflect it's ACUN algebraic properties 

Predicate returning true if Thi and Th2 do not share operators; 

Predicate returns true if t' is a subterm of t 
and made with operators not belonging to Th; 

Predicate returning true if t has no alien subterms wrt 
operators of Th; 

A subset of Vars that did not previously appear in a 
unification problem; 
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NewConstants 

VarldP 
least(x, X, <) 

Node 
Strand 

Fresh Vars 

LTKeysQ 

semi- strand 

semi-bundle 
constraint((m, T)) 

conseq(cs, S) 
simple(c) 
simple(cs) 
active(c, cs) 

cs< 

cs^ 



A subset of Constants that did not previously appear in a 
unification problem; 

A partition on all the variables in a unification problem; 

Returns true if x is the minimal element of X wrt the 
linear relation <; 

Tuple (±, Term) 

Sequence of nodes 

Variables in a strand that are of the 
type nonce, session-key etc.; 

Returns the set of subterms in a protocol that resemble 

sh{_, _); 

Strand obtained by instantiating the known variables 
of a role; 

Set of semi- strands; 

true if m : T is a constraint with m as the target and 
T as the termset 

cs is a constraint sequence from the semi-bundle S; 

c is a constraint with only a variable on its target; 

cs is a constraint sequence with only simple constraints; 

true if all constraints in cs, prior to c are simple; 

Returns the constraint sequence prior to the active 
constraint of cs; 

Returns the constraint sequence after to the active 
constraint of cs; 
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applicable(r, cs, cs', a, a', Th) true if r is applicable on cs, transforming it into cs' , and 

changing its substitution from a to a' in the theory Th; 



normal(cs) 

normalize{cs) 
typeFlawAttack(P, Th) 

secureForSecrecy(P, Th) 

mJ- Satisfying (P) 



fi-mT-Satisfying{Pi, P2) 



true if cs has no free variables, or pairs 

in the target or termset of its active constraint; 

Function that transforms cs into a normal 
constraint sequence and returns it; 

true if a constraint sequence from a semi-bundle of P 
can only be satisfied with an ill-typed substitution in the 
theory Th; 

true if protocol P does not have a potential breach 
of secrecy in the theory Th; 

true if P satisfies three conditions including non-unifiable 
encrypted subterms (in the S U A theory), no free 
variables as asymmetric keys inside 
XOR terms; 

true if encrypted subterms of Pi are non-unifiable with the 
encrypted subterms of P2, in the S U A theory; 



A.2 Bader & Schulz Combined Theory Unification Algorithm (BSCA) 

We will now consider how two UAs for two disjoint theories =Ei and =e2^ may be com- 
bined to output the unifiers for {Ei U £'2)-UPs using Baader & Schulz Combination Algo- 
rithm (BSCA) iiai. 

We will use the following (S U A) -UP as our running example|§: 

{[l,na]pk(B) =SUA [l,NB]pkia) © [2, A] © [2,6]| . 

BSCA takes as input a {Ei U i?2)-UP, say F, and applies some transformations on them 
to derive F5.1 and F5.2 that are -Ei-UP and E2-\JP respectively. 

Step 1 (Purify terms) 

BSCA first "purifies" the given set of {E = EiU E2)-\JP, F, into a new set of problems Fi, 
such that, all the terms are pure wrt =e-i or =e2- 

We omit the superscript — on encrypted terms in this problem, since they obviously use only asymmetric 
encryption. 



47 



If our running example was T, then, the set of problems in Fi are W =std [1, na]pk{B), 

X =STD [l,NB]pk{a),Y =STD [2, A], Z =STD [2,6], and W =acun X ®Y ®Z, where 
W, X, Y, Z are obviously new variables that did not exist in T. 

Step 2. (Purify problems) 

Next, BSCA purifies Fi into F2 such that, every problem in F2 has both terms pure wrt the 
same theory. 

For our example problem, this step can be skipped since all the problems in Fi already 
have both their terms purely from the same theory (=std or =acun))- 

Step 3. (Variable identification) 

Next, BSCA partitions Vars (F2) into a partition VarldP such that, each variable in F2 is 
replaced with a representative from the same equivalence class in VarldP. The result is 
Fa. 

In our example problem, one set of values for VarldP can be 

{{A},{B},{iv^},{iy},{x},{y,z}}. 

Step 4. (Split the problem) 

The next step of BSCA is to split F3 into two UPs F4 1 and F4 2 such that, each of them has 
every problem with terms from the same theory, Thi or Th2. 
Following this in our example, 

F4.1 = =STD [l,'^a]pfc(B),^ =STD [1 , iVfilpfcla) , >^ =STD [2,A],Z=STD [2,6]|, 

and 

Ti.2 = [w =^cmX®Y ®yY 

Step 5. (Solve systems) 

The penultimate step of BSCA is to partition all the variables in F3 into a size of two: Let 
p = {Vi, V2} is a partition of VarsiV'^). Then, the earlier problems (F4.1, F4.2) are further 
split such that, all the variables in one set of the partition are replaced with new constants 
in the other set and vice- versa. The resulting sets are F5.1 and F5.2. 

In our sample problem, we can form {Vi, V2} as { Vars{V-i), {}}. i.e., we choose that 
all the variables in problems of F5 2 be replaced with new constants. This is required to find 
the unifier for the problem (this is the partition that will successfully find a unifier). 

So F5.1 stays the same as F4.1, but F5.2 is changed to 

r5.2 = Ti,2(3 = jVF =ACUN X © r © f} /3 = |w =ACUN X © y © . 

i.e., (3 = {w/W, x/X,y /Y}, where, w,x,y are constants, which obviously did not 
appear in F5.1. 
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Step 6. (Combine unifiers) 

The final step of BSCA is to combine the unifiers for Fs.i and r5.2, obtained using Ae-^ and 
A E2 ■ This was given in Def . \Wi 
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